Also  Xnside 


Interview  with  White  House 
Security  Evangelists  Richard 
Clarke  and  Howard  Schmidt 

PAGE  50 

How  to  Blend  Physical  and 
Info  Security  PAGE40 

Biometrics  Slouches  Toward 
the  Mainstream  page  63 


THE  RESOURCE  FOR 


Because  success  depends  on  playing  well  with 


other  key  executives,  learn  how  (and  with 


SEPTEMBER  2002 

www.csoonline.com 


whom)  to  talk  turkey  in  The  CSO’s  Guide  to 

Strategic  Shmoozing 


PAGE  34 


Motorola  CISO  Bill 
Boni  is  listening. 


Full  2  Gbps  Network  Defense  System 

Software-based  solutions  running  on  Pentium™,  SPARC,  or 
MIPs  processors  are  too  slow  to  offer  real-time  network 
defense.  UnityOne  is  built  on  custom  security-specific  processors 
designed  for  ultra-high-speed  network  security  applications. 

Stops  Worms,  Viruses, 
Trojans,  Blended  Threats,  DDoS 

Blocks  thousands  of  attack-types  based  on 
absolute  attack  filters. 

Digital  Vaccine™  Update  Service 

Digital  Vaccines™  are  developed  and  delivered  by 
TippingPoinfs  Threat  Management  Center  which  monitors  over 
10,000  sensors  around  the  world  to  rapidly  inoculate  UnityOne 
systems  against  first-strike  attacks. 


Introducing  UnityOne! 

The  Active  Network  Defense  System  that 
protects  networks  at  2  Gbps. 

UnityOne  is  a  security  breakthrough.  It  is  an  ultra-high 

performance  active  network  defense  system  that  blocks 

network  attacks  before  critical  resources  are  damage 


Protect. 

Active  Network  Defense 


High  Availability  Mode 

Active-Active  Redundant  Protection 

Up  to  40  Physical  Security  Zones 

Prevents  both  external  and  internal  attacks.  Security  policies 
can  be  set  to  protect  by  user,  department  and  site. 


Corporate  LAN 


Firewall 


Zone  2 


Intranet 


Zone  3 

Wireless  Services 

Zone  40 

Engineering  Dept. 


UnityOne  becomes  a  seamless  element  of  the  network 
infrastructure  -  shooting  down  Internet  and  Intranet 
attacks  in  real-time.  In  delivering  pre-emptive  network 
One™  defense,  UnityOne  is  unyielding  to  hostile  information 
attacks.  Worms,  viruses,  trojan  horses,  blended 
threats,  multi-headed  threats,  hybrid  attacks,  DoS  and 
DDoS  attacks  are  all  vanquished  at  2  gigabits  per  second. 


Active  Network  Defense  Architecture 


Copyright  ©  2002  TippingPoint  Technologies.  UnityOne  is  a  trademark  of  TippingPoint  Technologies. 


Vj! 
X;&A'  1 


A  Level  of  Security  Beyond  the 
Firewall  and  IDS 

Network  defense  systems  are  an 

emerging  class  of  products  that 

significantly  improve  network  security. 


UnityOne  Defends  at  2  Gbps 

UnityOne  performs  high-speed  packet  and  flow  reassembly,  stateful  inspection, 
packet  classification  and  unanchored  content  searching.  The  following  table 
shows  UnityOne's  performance  in  terms  of  Intel®  Pentium®  Equivalents  (PE). 


UnityOne's  processing 
capabilities  include: 

TCP  session  flow  reassembly 

IP  and  UDP  fragment  reassembly 

Session  state  tracking  at  250,000 
sessions  per  second 

Application  layer  protocol  decoding 

Full  regular  expression  matching 
across  multiple  packets 


Packet  Size 

UnityOne™ 

Pentium  Equivalents'(PE) 

64  bytes 

(Fragmented  Attacks) 

78  PE 

384  bytes 

42  PE 

(Avg.  Enterprise  Packet  Size) 

1500  bytes 

(Max  IP  Packet  Size) 

21  PE 

‘Intel®  Pentium®  III  1GHZ,  768  MB  RAM  when  applied  to  Intrusion  Blocking 
Performance  metncs  derived  from  NSS  Group  -  Europe's  foremost  independent 
network  and  security  testing  organization 


Fast. 


t  2  Gigabits  per  second 


UnityOne  strengthens  the  effectiveness  of  firewalls  by 
blocking  hostile  traffic  that  has  infiltrated  open  ports.  And 
while  IDS  products  are  somewhat  useful  in  cleaning  up 
post-attack  damage,  the  amount  of  information 
and  alerts  they  generate  can  be  overwhelming. 

But  with  UnityOne,  blocked  attacks  cause  no 
damage.  Period. 


All  other  trademarks  are  the  property  of  their  respective  owners  All  rights  reserved 


Fast  Protection  Program 

Aggressive  cyber-attacks  are  accelerating. 
The  TippingPoint  Fast  Protection  Program  is 
a  no-risk  network  lock-down  program. 

Once  qualified,  UnityOne  is  installed  in  your 

network  for  30  days.  At  the  end  of  the 

testing  period,  UnityOne  is  purchased  and 

kept  in  place  or  the  system  can  be  returned. 

To  enroll  in  the  TippingPoint 

Fast  Protection  Program, 

call  a  TippingPoint  Security  Specialist  at 

1-88UNITYONE  or 

visit  www.tippingpoint.com 


UnityOne 

from  TippingPoint  Technologies 


i  ankc  and  <:he  S  '  c  jesitare  U.S.  registered  trademarks.  Symantec  Gateway 


12  Symantec  Cdiporation.  All  rii 


.  :  1 
•  ]$&•» 


The  company  that  pioneered  enterprise 
security  just  revolutionized  it. 


Symantec  Integrated  Security 

Integrated 

Integrated 

Gateway  Security 

Client  Security 

Intrusion  Detection 

Intrusion  Detection 

Firewall/VPN 

Firewall 

►  Content  Filtering 

Virus  Protection 

►  Virus  Protection 

Management 

Management 

Introducing  the  secure  enterprise.  Before  the  Internet,  before 
laptops,  before  e-anything,  Symantec™  was  protecting  companies 
from  virus  attacks  and  malicious  code.  But  today's  world  is  radically 

different.  Threats  have 
become  more  complex, 
dangerous  and  costly; 
and  security  that 
was  once  considered 
adequate  is  now  rightly 
seen  as  incomplete 
and  vulnerable.  Now 
a  revolutionary  solution  has  arrived.  Symantec  Integrated  Security 
is  comprehensive  security  that  protects  your  entire  enterprise. 
Every  element  is  designed  to  work  together  as  a  seamless  and 
unified  system.  The  result  is  more  efficient  management,  quicker 
response  to  new  threats  and,  ultimately,  better  protection  for  your 
whole  company — from  your  gateway  with  Symantec™  Gateway 
Security ;  to  your  clients  with  Symantec™  Client  Security.  It's  a  new 
way  to  understand  and  create  the  truly  secure  enterprise.  Join  the 
revolution.  Visit  http://ses.symantec.com/USB000A8VDl  or  call 
800-/45-6054  for  our  free  White  Paper,  “Integrated  Security: 
Creating  the  Secure  Enterprise!’ 


Symantec, 


. .■ 6  '• ■/' ${&'• 
m  %  m  i 
'  M 


COLUMNS 

30  Disaster  Recovery  Redefined 

SECURITY  COUNSEL  OppenheimerFunds’  Mike  Hager 
answers  readers’  questions  about  planning  for  the 
unpredictable.  Edited  by  Kathleen  Carr 

32  Who’s  Responsible  for  Being 
Responsible? 

FLASHPOINT  Our  law,  ethics  and  privacy  columnist 
weighs  in  on  taking  security  responsibility  to  the  top  of 
the  corporate  ladder.  By  David  H.  Holtzman 

66  Double-Edged  Success 

CSO  UNDERCOVER  One  anonymous  CSO’s  account  of 
the  ironies  of  the  security  budgeting  process. 


DEPARTMENTS 


34  Cover  Story  Let’s  Talk 

THE  CSO  ROLE  A  CSO’s  guide  to  strategic  shmoozing. 

By  Daintry  Duffy 

40  Taming  the  Two-Headed  Beast 

I.T.  AND  PHYSICAL  SECURITY  The  worlds  of  IT  and  phys¬ 
ical  security  are  colliding.  Find  out  what  to  do  about  it. 
By  Simone  Kaplan 


15  Briefing 

Reports  of  increased  cyberattacks  in  2002;  The 
Fortune  500’s  digital  security  efforts  still  lag;  Who’s 
employing  the  CSO?;  Policy  mandates;  Security  blue¬ 
prints;  Government  fingerprint  of  approval;  Put  your 
best  face  forward.  Edited  by  Kathleen  Carr  and 
Daintry  Duffy 


50  Policy  Preachers 

INTERVIEW  Richard  Clarke  and  Howard  Schmidt  are 
charged  with  spreading  the  CSO’s  gospel  to  board- 
rooms  across  the  land.  But  are  their  policy  command¬ 
ments  ones  you  want  to  follow?  By  Sarah  D.  Scalet 

56  The  Human  Touch 

PROFILE  |  THE  GEORGE  WASHINGTON  UNIVERSITY 

GWTJ’s  security  officer  Krizi  Trivisani  focuses  on  the 
softer  skills— like  communicating  with  students  and 
administrators— to  help  her  battle  real-life  villains. 

By  Sarah  D.  Scalet 


26  Wonk 

No  more  secrets:  Why  the  debate  over  FOIA  exemp¬ 
tions  is  raising  fears  of  still  more  corporate  chicanery. 
By  Julie  Hanson 

63  Machine  Shop 

Biometrics  slouches  toward  the  mainstream;  Badge 
cams;  Steganography  tools.  Edited  by  Derek  Slater 

72  Debriefing 

Test  your  D.C.  IQ. 


cover  photo  by  IN  EVERY  ISSUE  6  CSOonline.com  10  Letter  from  the  Editor  12  Advisers  70  Index 

Jeff  Sciortino 


4  www.csoonline.com  September  2002 


YOU'RE  PROTECTED  AGAINST  HACKERS,  VIRUSES  AND  WORMS. 

BUT  WHAT  ABOUT  ROSE  IN  BENEFITS? 


eTrusf  Security  Solutions 

Complete  protection  for  your  entire  enterprise. 

When  it  comes  to  protecting  your  business,  you  need  security  that  can  protect  your 
enterprise  from  potential  threats,  no  matter  where  they  may  come  from.  That's  exactly 
what  eTrust  does.  Our  family  of  products  allows  you  to  not  only  safeguard  your  entire 
enterprise,  but  also  view  and  manage  that  security  either  centrally  or  from  multiple 
delegated  locations.  So  you  can  continue  to  grow  and  maximize  new  opportunities 
while  minimizing  your  risk.  And  that's  security  you  can  feel  secure  about. 


Computer  Associates™ 


HELLO  TOMORROW 


TM 


WE  ARE  COMPUTER  ASSOCIATES 


THE  SOFTWARE  THAT  MANAGES  eBUSINESS™ 


ca.com/etrust/complete 


©2001  Computer  Associates  International,  Inc.  (CA).  All  trademarks,  trade  names,  service  marks,  and  logos  referenced  herein  belong  to  their  respective  companies. 


e.com 


WMm 

rAsr  ■  (TPW 


Security 
Counsel 

HIPAA  LEGISLA¬ 
TION  This  month, 

Lew  Wagner,  CISO 
at  the  University  of 
Texas  Anderson  Can¬ 
cer  Center,  is  avail¬ 
able  online  to  answer  your  questions  about 
HIPAA  legislation.  Visit  SECURITY  COUN¬ 
SEL  to  post  a  question  or  read  more  about 
HIPAA.  www.csoonline.com/counsel 

Related  Stories  on  the  Web 


Career  Resources 

Jump-start  or  advance  your  career  with  the 
postings  in  our  JOB  CENTER  and  the  list¬ 
ings  in  our  EVENT  CALENDAR.  Need 
advice?  Ask  the  CAREER  ADVISER.  Just 
nosy?  Read  MOVERS  &  SHAKERS. 

Only  Online 

Check  out  these  weekly  columns: 

MONDAY 

TALK  BACK  Is  the  government  prepared 
for  a  cyberattack?  Tell  us  what  you  think 
about  this  and  other  issues. 


Go  to  PRINTLINKS  for  more  in-depth 
information  on  the  topics  mentioned  in 
this  issue.  For  more  on  homeland  security, 
covered  in  our  interview  with  Richard 
Clarke  and  Howard  Schmidt  (see  Page 
50),  check  out  the  EXECUTIVE  POLICY 
FORUM  3  webcast  on  protecting  the  home¬ 
land.  www.csoonline.com/printlinks 


TUESDAY 

SECURITY  CHECK  More  than  87  percent 
of  tech  execs  say  technology  cannot  prevent 
a  terrorist  attack.  What  do  you  think?  Go 
online  to  vote. 

WEDNESDAY 

ANALYST  REPORTS  Research  and 
analysis  from  respected  sources. 


CSO  Research  Centers 

Visit  CSOonline’s  RESEARCH  CENTERS 
for  a  wealth  of  information.  Centers 
include  archived  articles  from  CSO  and  its 
sister  publications,  webcasts,  interviews 
and  links  to  relevant  resources. 

CSO  ROLE  Basics,  profiles  and  member 
organizations  www.csoonline.com/role 

GOVERNMENT  &  LEGISLATION  Laws 
and  liability,  national  security  agencies 
and  organizations 
www.csoonline.com/government 

RISKS  &  ISSUES  Affecting  corporate  and 
IT,  privacy  and  physical  security 

www.csoonline.com/risks 

STRATEGY  &  POLICY  Management,  ROI 
and  policies  www.csoonline.com/strategy 


THURSDAY 

SAFETY  IN  NUMBERS  Surveys  and 
statistics  that  businesses  can  count  on. 

FRIDAY 

CAPITOL  HILL  Weekly  updates  on  legis¬ 
lation  and  politicking— inside  the  Beltway 
and  out. 

Exclusive  CSO  Research 

A  recent  survey  of  more  than  1,000  secu¬ 
rity  professionals  found  that  60  percent  of 
companies  have  an  employee  dedicated  to 
security.  Respondents  also  said  they  are 
more  concerned  about  electronic  attacks, 
rather  than  physical  attacks,  on  their  busi¬ 
nesses.  Go  online  to  read  more  about  the 
top  issues  facing  security  executives  and 
the  emerging  CSO  function. 
www.csoonline.com/results 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


President  and  CEO  Joseph  L.  Levy 
Group  Publisher  Gary  J.  Beach 
Publisher  Bob  Bragdon 

EDITORIAL 

Editor  in  Chief  Lew  McCreary 
Executive  Editor  Derek  Slater 
Managing  Editor  Elaine  M.  Cummings 
Managing  Editor,  Production  Cheryl  R.  Asselin 
Senior  Editor  Daintry  Duffy 
Research  Editor  Lorraine  Cosgrove  Ware 
Senior  Writers  Scott  Berinato,  Sarah  D.  Scalet 
Staff  Writer  Simone  Kaplan 
Copy  Chief  TomWailgum 

Asst.  Managing  Editor,  Production 

Kathleen  S.  Carr 

Copy  Editors  Kelli  A.  Gauthier  (Assoc.), 

Emily  S.  Henderson,  Sarah  Johnson  (Assoc.) 

Research  Manager  Lynne  Z.  Rigolini 
Editorial  Resource  Manager  Carol  Zarrow 
Editorial  Assistants  Daniel  J.  Horgan,  Joe  Sullivan 

Contributors  Sam  Costello,  Simson  Garfinkel, 
Mike  Hager,  David  H.  Holtzman 

Editorial  Operations  Specialist  Julie  Hanson 

DESIGN 

Executive  Director,  Art  and  Design  Mary  Lester 
Art  Director  Steve  Traynor 
Senior  Designer  Chandra  Tallman 
Design  Group  Assistant  Rachel  Barnett 

WEBSITE 

Senior  VP/General  Manager,  Online  Tim  Horgan 
Web  Editorial  Director  Art  Jahnke 
Executive  Web  Editor  Martha  Heller 
Web  Editor  Sandy  Kendall 
Web  Writer  Jon  Surmacz 
Online  Technology  Director  Dagmar  Eiben 
Senior  Web  Developer  Ellen  Morey 
Online  Research  Manager  Kathleen  Kotwica 
Audience  Development  Manager  Andrew  Burrell 
Web  Developers  Diane  Chen,  Shannon  Macdonald 
Online  Content  Researcher  Tara  Gillet-Liloia 
Designer  Graham  White 


INTERNATIONAL  DATA  GROUP 

Board  Chairman  Patrick  J.  McGovern 
President  and  CEO  Kelly  Conlin 

BPA  INTERNATIONAL  MEMBERSHIP 

Applied  for  September  2002 
©  CXO  Media  Inc. 


6  www.csoonline.com  September  2002 


Internet 


Why  should  you  look 
at  a  secure  managed 
hosting  solution? 

A  recent  FBI  survey  showed  that 
90%  of  respondents  reported  security 
breaches  during  the  past  twelve 
months.  The  cost  to  American 
business  exceeded  $260  billion  a  year. 

ServerVault  is  the  number  one 
secure  managed  hosting  company 
in  the  world.  Our  systems  were 


security.  Our  facilities  meet  Department 
of  Defense  SCIF  standards  and  we’re 
the  only  ones  who  can  say  that. 

We  provide  custom 
solutions  backed  by 
unbeatable  customer 

service: 

♦  Secured  Managed  Hosting 

♦  Disaster  Recovery  and  Backup 

♦  Connecting  Closed-User 

Communities 


Check  Mate! 

Contact  us,  to  win  the  game,  at 
1-877-78- VAULT  or  visit  our  website 
at  www.servervault.com 


constructed  by  the  people  who  ♦  Storage  Solutions  ServerVault  ls  a  wholly.owried  affiliate  of  western 

advised  the  Pentagon  on  network  +  Secure  Email  Solutions  &  Southern  Financial  Group 


INFRASTRUCTURE 


2]  Get  the  infrastructure  you  need  from  team  IBM  -  a  leader  in 
end-to-end  security  solutions.  With  the  help  of  global  security 
experts,  self-managing  servers,  and  Tivoli®  security  software,  you’ll 
know  your  infrastructure  can  be  secure  on  a  Fort  Knox  scale. 


3]  For  more  winning  plays,  visit  ibm.com/e-business 


@  business  is  the  game.  Play  to  win. 


|  **>+■ 


HACKING  1 
FOR  FAME 


From  the 


Dog  Days 

Since  Sept.  11, 2001,  security  has  become  something  of  a 
frisky  new  puppy,  gamboling  in  the  worldwide  limelight 
and  garnering  a  lot  of  well-meaning  attention  (though 


perhaps  not  quite  enough  puppy  chow,  to  judge  from  the  wailing  about  under¬ 
funded  mandates  in  both  the  public  and  private  sectors).  But  timing  is  every¬ 
thing.  Through  its  sad  association  with  catastrophe,  security  has  been  made 
prominent  in  ways  that  were  probably  overdue. 

And  yet,  while  the  now-intense  focus  itself  is  new,  security  has  been  quietly 
important  for  eons.  For  as  long  as  computers  have  existed,  their  gifted  custodi¬ 
ans  have  fretted  devotedly  about  the  violability  of  the  data  the  computers  con¬ 
tained.  Once  networking  came  along  (freaking  out  most  of  those  same 
custodians),  there  quickly  followed  a  wider  and  wider  distribution  of  the  net¬ 
worked  data.  As  a  result,  the  complexity  of  securing  information  while  also 
guaranteeing  appropriate  access  has  inevitably  grown  massive.  (Concurrently, 
physical  security  is  increasingly  powered  by  digital  means,  creating  a  circum¬ 
stance  in  which  the  two  technical  infrastructures— and,  sometimes,  accounta¬ 
bility  and  authority— are  converging  as  a  unified  activity.) 

Steadily,  the  tension  between  information-driven  opportunity  and  the  secu¬ 
rity  risks  of  widespread  information  sharing  has  also  grown.  In  theory,  it  would 
be  possible  to  achieve  nearly  perfect  safety  through  a  process  of  wholesale  dis¬ 
connection  from  this  inorganic  though  oddly  lifelike  grid.  But  the  genie  of 
information  will  never  go  back  in  the  bottle.  Every  enterprise  has  acquired  an 
addiction  to  more  and  better  networked  intelligence.  Customers,  employees, 
trading  partners,  alliance  members— all  of  the  many  and  varied  stakeholders  of 
every  interconnected  venture— rely  on  the  free  flow  of  information  to  make 
decisions,  gather  insight,  share  knowledge,  market  and  sell,  consummate  trans¬ 
actions,  monitor  and  adjust  processes,  regulate  workflow  and  otherwise  make 
stuff  happen. 


As  the  post-9/ll  rallying  cries  have  made  clear,  there 
will  be  no  duck-and-cover  when  it  comes  to  computer 
networks.  The  mandate  of  anyone  concerned  with 
security  is  to  enable  the  ongoing  pursuit  of  opportuni¬ 
ties  in  the  safest  plausible  context.  That  means  that  the 
knee-jerk  reflex,  attributed  to  many  security  practition¬ 
ers,  of  simply  saying  “no”  to  risk  is  no  longer  accept¬ 
able— if  it  ever  was.  Security  needs  to  be  accomplished 
within  a  matrix  of  business  realities.  Risk  is  situational 
and  must  be  weighed  between  the  poles  of  what  stands 
to  be  gained  versus  all  that  could,  in  the  worst  instance, 
be  lost. 

Consequently,  among  the  skills  to  be  most  prized  in 
security  chieftains,  political  and  managerial  chops  will 
ultimately  overshadow  technical  expertise.  Two  of  the 
feature  stories  in  this  premiere  issue  of  CSO  reflect  the 
decisive  importance  of  what  is  sometimes  dismissively 
called  “the  soft  stuff.”  Both  Daintry  Duffy’s  “Let’s  Talk” 
(Page  34)  and  Sarah  D.  Scalet’s  “The  Human  Touch” 
(Page  56)  offer  useful  guidance  in  the  fine  art  of  playing 
well  with  others. 

Applying  the  right  solutions  will  become  much  more 
a  matter  of  adroit  negotiation  and  persuasion  than  of 
specifying  some  weird  new  black  box  that,  in  any  case, 
may  not  perform  nearly  as  magically  as  advertised.  In 
the  hope  of  playing  well  with  our  readers,  we  look  for¬ 
ward  to  your  reactions  to  this  inaugural  issue. 

-Lew  McCreary 
mccreary@cxo.com 


10  www.csoonline.com  September  2002 


PHOTO  BY  WEBB  CHAPPELL 


You’re  the  king.  Strong.  Safe.  Protected.  Right?  Wrong. 

The  fact  is,  if  your  network  isn’t  protected  by  NetScreen,  you 
could  he  far  from  safe.  You  see,  technological  advances  don’t 
only  occur  in  the  corporate  world.  Predators  —  inside  and 
outside  your  network  —  have  also  made  leaps  and  bounds. 
Trojan  Horses.  Worms.  Nimda.  Code  Red.  Denial  of  Service 
attacks.  All  emerging  threats  that  many  legacy  security 
solutions  just  can't  handle. 


.  '  ’ 

‘  v.  S'- , 


'  *"•  ■■  -*•>  .  '  i  •'■■■  .  ihi;  T  J '?•>-! 

UBLE  1 


. 

■  ■ 


NetScreen  can.  NetScreens  line  of  purpose-built  security 
systems  and  appliances  has  the  flexibility  and  performance 

A 

to  handle  new  threats.  And  evolve  with  them.  Keeping  not 
only  the  central  site  connected  and  secure,  but  also  your 
wireless  LANs  and  remote  offices.  NetScreens  solutions 
offer  integrated  VPN,  firewall  and  network  attack  blocking. 
All  of  which  are  key  to  keeping  predators  under  control. 
And  your  entire  enterprise  out  of  trouble.  Find  out  more 
about  securing  your  place  at  the  top.  Download  a  white  paper 
on  protecting  your  network  from  the  new  generation  of 
security  threats  at  www.netscreen.com/ad/na_cs. 


m 

.  .  \  '  ■  .  t: 

uilt  security 


NetScreen 

Scalable  Security  Solutions 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


CSO  wishes  to  thank  the  following  individuals  for  serving  as 
our  editorial  Board  of  Advisers,  supplying  their  expertise  and 
guidance  to  CSO’ s  editors  * 


Chris  Christiansen 
Program  Vice  President,  eBusiness 
Infrastructure  and  Security  Software 
IDC 

Stephen  E.  Cross 
Director  and  CEO 
Software  Engineering  Institute  and 
CERT  Coordination  Center 
Carnegie  Mellon  University 

David  Cullinane 
Senior  Security  Consultant,  nCipher  Inc. 
and  President,  Information  Systems 
Security  Association 

Dorothy  Denning 

Callahan  Family  Professor, 

Computer  Science  Department 
Georgetown  University 

Daniel  E.  Geer  Jr. 

CTO,  @Stake 

David  M.  Hager 
Vice  President,  Network  Security 
and  Disaster  Recovery 
OppenheimerFunds 


John  Hartmann 

Vice  President  of  Security  and 

Corporate  Services,  Cardinal  Health  Inc. 

Steve  Katz 

President,  Security  Risk  Solutions 

Micki  Krause 
Chief  Security  Officer 
Pacific  Life  Insurance 

Bruce  Schneier 

CTO,  Counterpane  Internet  Security 

John  Tritak 

Director 

Critical  Infrastructure  Assurance  Office 

Krizi  Trivisani 
Information  Security  Officer 
The  George  Washington  University 

James  Wade 

Chief  Security  Officer,  Federal  Reserve 
System  and  President,  ISC2 

Robert  Weaver 
Assistant  Special  Agent  in  Charge 
Secret  Service  Electronic  Crimes  Task  Force, 
New  York  City 


HOW  TO  REACH  US 
E-MAIL 

csoletters@cxo.com 

PHONE 

508  872-0080 

FAX 

508  879-7784 

ADDRESS 

CSO  Magazine 
492  Old  Connecticut  Path, 

P.0.  Box  9208 
Framingham,  MA 
01701-9208 

SUBSCRIBER  SERVICES 

866  354-1125 

FAX 

847  564-9002 

E-MAIL 

cso@omeda.com 

REPRINTS 

Reprints  are  available  by  calling 
Reprint  Services  at  651  582-3834,  or  via  e-mail 
at  csoreprints@reprintservices.com. 


ABOUT  IDG  International  Data  Group  (IDG),  the 
leading  global  provider  of  IT  media,  research, 
conferences  and  events,  informs  more  people 
about  technology  than  any  other  company  in  the 
world.  Offering  the  widest  range  of  media  options, 
IDG  reaches  more  than  120  million  technology 
buyers  in  85  countries  representing  95  percent  of 
worldwide  IT  spending.  IDG  publishes  more  than 
300  newspapers  and  magazines  in  85  countries, 
led  by  the  Computerworld,  infoworld,  Macworld, 
Network  World,  PC  World  and  CIO  global  prod¬ 
uct  lines,  IDG  offers  online  users  the  largest  net¬ 
work  of  technology-specific  sites  around  the 
world  through  IDG.net  ( www.idg.net ),  a  gateway 
to  IDG's  330  websites  powered  by  more  than 
2,000  journalists  reporting  from  every  continent 
in  the  world.  IDG  also  produces  168  technology- 
related  conferences  and  events,  and  research 
company  IDC  provides  global  market  intelligence, 
analysis  and  forecasts  in  43  countries. 


*Their  participation  does  not  imply  an  endorsement  of  the  magazine’s  contents  or  opinions. 


“I  remember  sitting  on  one  roundtable 
of  security  experts  last  year,  and  if  you 
looked  around  the  table  you’d  see  man  in 
suit,  man  in  suit,  man  in  suit— who’s  that 
chick  at  the  end?” 

-GEORGE  WASHINGTON  UNIVERSITY’S  KRIZI  TRIVISANI 


12  www.csoonline.com  September  2002 


PHOTO  BY  RON  HOLTZ 


In  the  Midst  of  the  Telecom  Storm... 

Is  your  Network  Provider  a  Safe  Harbor? 


The  Network  that  Powers  Wall  Street™ 


1-800-SAVVIS- 1 
www.savvis.net/testimonials 


There  are  some  things  you  just  can’t  take  a  chance  on. .  .and  your  business  data 
communications  is  certainly  one  of  them.  Wherever  you  are,  whatever  time 
it  is,  you  need  to  know  that  your  network  is  there  when  you  need  it. 

Available.  Predictable.  Secure. 

From  Wall  Street  to  Main  Street,  SAVVIS  is  the  financially  sound  choice  for 
people  who  demand  a  proactive  managed  IP  service  provider.  SAVVIS  has 
been  delivering  high  performance  IP  VPN  and  managed  hosting  services  to 
financial  institutions,  professional  services  firms,  and  retail  enterprises  for 
years.  And,  SAVVIS  has  one  of  the  strongest  balance  sheets  in  the  industry. 

Don’t  just  take  our  word  for  it.  Visit  our  web  site  and  discover  what  the  Chicago 
Board  Options  Exchange,  Looksmart,  the  Philadelphia  Stock  Exchange, 

RM  Crowe,  Shearman  &  Sterling,  Fitch  Ratings,  Telezoo  and  so  many  others 
have  to  say  about  working  with  SAVVIS. 


Trust  the  Network  that  Powers  Wall  Street 

to  Empower  your  Business.5”1 


Every  time  someone 
comes  to  your  door, 
a  decision  is  made. 

The  CCD  chip  behind 
the  lens  captures  an  image, 
and  the  microprocessor 
looks  for  a  match. 

One  second  later— 
access  permitted  or 
access  denied. 

The  iris  of  the  human  eye. 
Unique  as  a  snoujf  lake, 
more  absolute  than 
a  fingerprint.  Perfect  key, 
meet  the  perfect  lock. 

Get  in  at  uiujiu.lgiris.com 


THERE’S  A  REASON 
IARS,  THIEVES  AND  SPI 


mmsmm 


'  ;  m h,  *3 

Jett'S-  8-  “if 


p  j 


MKgMm 


NEVER  MAKE 


News,  Stats  and  Fast  Facts 

Edited  by  Kathleen  Carr  and  Daintry  Duffy 


mi 


CYBERSECURITY 


Reports  of 
Increased 
Cyberattacks  in 
2002 

THE  FLOW  OF  SOFTWARE 
vulnerabilities  and  attempts  by 
attackers  to  break  into  systems 
has  showed  no  sign  of  abating  in 
the  first  half  of  2002,  according  to 
statistics  released  in  July  by  CERT 
and  Riptech,  a  network  security 
provider.  For  the  first  half  of 
2002,  CERT  reported  that  it 
logged  43,136  security  incidents. 
There  were  only  52,658  security 
incidents  in  all  of  2001.  However, 
the  increase  can  be  attributed  in 
part  to  better  reporting  and 
awareness  and  not  to  substan¬ 
tially  increased  attack  activity,  a 
CERT  representative  says.  Secu¬ 
rity  incidents  have  been  steadily 
increasing  since  1988,  when  CERT 
first  started  tracking  them.  The 
number  of  security  incidents 
exploded  to  10,000  in  1999,  a 
huge  increase  from  4,000  the 
year  before.  In  2000,  incidents 
more  than  doubled  again  to 
21,756.  In  terms  of  software- 
related  security  vulnerabilities, 
2,148  have  been  disclosed  so  far 
this  year,  almost  equaling  the 
2,437  announced  in  all  of  2001. 


The  Fortune  500s  Digital 
Security  Efforts  Still  Lag 


IN  APRIL,  ERNST  &  YOUNG  CONDUCTED 
a  survey  of  91  Fortune  500  companies  to  deter¬ 
mine  their  strength  and  the  extent  of  their  digital 
security  programs.  The  survey  found  that  few 
companies  had  security  technology  and  policy  in 
place  that  amounted  to  “world 
class”  digital  security.  The  survey 
polled  executives  and  senior 
managers  from  companies  in 
sectors  including  technology  and 
media,  financial  services,  auto¬ 
motive  energy,  and  telecommu¬ 
nications.  The  companies 
ranged  in  size  from  fewer  than 
10,000  employees  to  more  than 
250,000.  Ernst  &  Young  exam¬ 
ined  the  companies’  intrusion  and  virus  detection 
capabilities,  incident  response  plans,  policies, 
standards  and  guidelines,  and  vulnerability  man¬ 
agement  programs. 

The  telecom  industry  (scoring  58  out  of  a  possi¬ 
ble  75  points)  stood  out  as  the  most  prepared 
industry  in  the  study,  grabbing  top  marks  in  all 
but  two  categories.  Financial  services  (53)  and 
technology  and  media  (51)  companies  followed, 


demonstrating  above-average  security  prepared¬ 
ness.  Energy  companies,  however,  were  exposed  as 
the  least  prepared  of  the  included  groups,  as  they 
tallied  below-average  scores  in  seven  categories 
and  scored  the  lowest  in  three. 

The  type  of  industry  examined 
played  a  role  in  the  scores,  the 
study  found,  as  it  was  fitting  that 
the  data-  and  technology-driven 
telecommunications  companies 
were  most  prepared  for  digital 
security  incidents,  whereas  the 
primarily  physical-infrastructure- 
based  energy  companies  scored 
higher  in  physical  security  and 
business  continuity  areas. 

The  scores  indicate  to  Ernst  &  Young  that  “the 
inevitability  of  an  incident  occurring  has  become 
accepted,  and  the  ability  of  an  organization  to 
react  adequately  has  allowed  a  false,  smug  confi¬ 
dence  to  pervade  the  marketplace.” 

“Organizations  must  be  prepared  to  respond— 
not  react— to  a  digital  security  incident,”  the  report 
says.  The  full  survey  can  be  found  online  at 
www.csoonline.com/printlinks.  -Sam  Costello 


Who’s  in 
Charge? 

GOVERNMENT  If  you’ve 
never  been  sure  who  to  talk  to  in 
the  government  about  cybersecu¬ 
rity,  there’s  a  pretty  good  reason 
for  your  confusion.  There  are  at 
least  50  federal  organizations 


with  cybersecurity  responsibili¬ 
ties,  according  to  a  report  from 
the  General  Accounting  Office 
(GAO).  Parts  of  the  Office  of  Man¬ 
agement  and  Budget,  the  Federal 
Communications  Commission,  the 
Department  of  Defense  and  even 
the  Environmental  Protection 
Agency  perform  critical  infra¬ 
structure  protection  (CIP)  duties, 


the  report  found.  And  while  some 
organizations  were  able  to  accu¬ 
rately  describe  their  relationship 
to  other  federal  agencies  involved 
in  CIP  work,  the  groups  that  were 
working  on  similar  projects  did 
not  have  consistently  established 
ties,  the  report  said.  The  presi¬ 
dent's  Critical  Infrastructure  Pro¬ 
tection  Board  is  set  to  release  a 


ILLUSTRATION  BY  BELLE  MELL0R 


September  2002  www.csoonline.com  15 


PERCENTAGE  OF  COMPANIES  WITH  CSOS  BY  INDUSTRY 


strategy  for  defining  roies  and  establishing 
communication  among  organizations  on 
those  points  this  month. 

The  GAO,  which  has  been  a  tough  critic  of 
the  cybersecurity  measures  taken  by  a  num¬ 
ber  of  government  agencies,  recommends 
that  that  strategy  should  define  “key  federal 
agencies’  roles  and  responsibilities  associ¬ 
ated  with  each  sector,  and  the  relationships 
among  key  CIP  organizations." 

The  full  GAO  report  can  be  found  at 
www.csoonline.com/printlinks. 

Symantec  Bulks  Up 

VENDOR  BUYOUT  Security  software 
company  Symantec  went  on  a  one-day  buy¬ 
ing  spree  in  July,  picking  up  SecurityFocus, 
Riptech  and  Recourse  Technologies.  It’s  a 
move  that  could  spark  consolidation  in  the 
security  industry,  with  a  price  tag  of  around 
$355  million  (Symantec  acquired  Security- 
Focus  for  $75  million,  Riptech  for  $145  mil¬ 
lion  and  Recourse  for  $135  million). 

“This  positions  them  clearly  to  own  the 
entire  threat-management  space,”  which 
includes  intrusion  detection  systems  and 
security  intelligence  and  monitoring  services, 
according  to  Peter  Lindstrom,  analyst  at  the 
Hurwitz  Group. 


SAFETY  IN  NUMBERS:  EMPLOYMENT 


100% 


80% 


The  Industry  You’ll  Call  Home 

CSOs  will  be  prevalent  in  the  software  sector, 


SOURCE:  ‘THE  CHANGING  NATURE  OF  THE  CHIEF  SECURITY  OFFICER,"  GIGA  INFORMATION  GROUP,  2002 


HIPAA  Hooray! 

REGULATIONS  OK,  maybe  you’re  not  doing  cartwheels.  But  for  companies  star¬ 
ing  down  HIPAA— the  Health  Insurance  Portability  and  Accountability  Act— it’s  time  to 
hit  the  mats. 

Large  portions  of  the  1996  bill  that  standardizes  electronic  data  interchange  for 
health-care  organizations  and  protects  the  confidentiality  and  security  of  health- 
related  data  are  finally  nearing  enactment.  Companies  affected  by  HIPAA— including 
health-care  providers,  employers,  life  insurers  and  universities— are  facing  an  Oct.  16, 

2002,  compliance  date  for  the  electronic  standards  portion  of  HIPAA  and  an  April  14, 

2003,  compliance  date  for  the  privacy  standards. 

Because  the  regulations  for  the  security  standards  portion  of  the  bill  won’t  be  intro¬ 
duced  until  late  this  year,  CSOs  might  be  tempted  to  put  their  preparations  off,  but  that 
would  be  a  mistake.  "You  can’t  have  privacy  without  security,”  notes  Brian  Wyatt,  an 
associate  in  the  health-care  group  at  Ropes  &  Gray  law  firm  in  New  York  City.  CSOs  will 
play  a  critical  role  in  implementing  and  enforcing  the  policies  and  procedures  that  gov¬ 
ern  who  has  access  to  protected  health  information,  deciding  how  information  is  used 

within  the  organization  and  ensuring  that 
business  partners  that  have  access  to 
employee  health  information  implement 
similar  access  controls. 

Wyatt  notes  that  his  team  frequently  sees 
that  individuals  in  companies  who  perform 
clerical  tasks  like  billing  are  actually  able  to 
access  specific  individual  health-care  infor¬ 
mation  because  the  access  codes  in  the 
information  systems  are  improperly  config¬ 
ured.  These  kinds  of  problems  will  fall 
largely  to  the  CSO  and  security  team  to  fix. 

CSOs  in  many  companies  are  also  going 
to  find  that  they  have  a  new  executive  part¬ 
ner  to  work  with  courtesy  of  HIPAA.  The  pri¬ 
vacy  regulations  require  that  affected 
companies  have  an  individual  responsible 
for  ensuring  that  privacy  policies  are  fol¬ 
lowed.  In  large  companies  that  may  mean 
the  appointment  of  a  chief  privacy  officer. 

-Daintry  Duffy 


Software 


Financial 


16  www  csoonlme.com  September  2002 


ILLUSTRATION  BY  BELLE  MELLOR 


Custom  Publishing 
Advertising  Supplement 


THE  SECURITY 


Creating  a  Culture  of  Security 


PEOPLE,  NOT  FIREWALLS,  ARE  YOUR 
COMPANY’S  FIRST  LINE  OF  DEFENSE 

here’s  nothing  that  gets  people’s 
attention  like  handing  them  a  crisp 
$100  bill. 

That’s  how  William  Hugh  Murray 
remembers  a  colleague  rewarding  an  employee 
who  followed  the  corporate  security  policy  and 
challenged  Murray’s  friend  for  strolling  around  the 
building  without  his  required  security  badge. 
“People  start  asking  other  people  about  their 
badges,  and  the  wearing  of  badges  gets  good  really 
quick,”  chuckles  Murray,  a  Certified  Information 
Systems  Security  Professional  (CISSP),  consultant 
with  TruSecure  Corp.  in  Herndon,  Va .,  and 
Corporate  Secretary  of  (ISC)2,  the  International 
Information  Systems  Security  Certification 
Consortium,  a  non-profit  security  training  and 
standards  organization  based  in  Framingham,  Mass. 

That’s  an  example  of  the  kind  of  creative,  consis¬ 
tent  reinforcement  necessary  to  forge  a  culture  of 
security  —  a  work  environment  in  which  employ¬ 
ees  at  all  levels  understand  and  commit  to  the 
need  to  protect  the  enterprise  not  just  from  phys¬ 
ical  security  breaches,  but  also  virtual  intrusions 
from  hackers  or  viruses.  More  than  just  a  cost  of 
doing  business  in  the  post-9/ 1  I  world,  creating  a 
culture  of  security  can  actually  boost  productivity 
and  profits  by  reducing  downtime  and  system  out¬ 
ages,  says  Hal  Tipton,  CISSP  and  former  president 
of  (ISC)2. 

But  to  achieve  these  business  benefits,  senior 
executives  must  foster  awareness  of  security  risks 
through  education,  training  and  consistent 
enforcement  of  proper  policies.  Everyone  from 
the  CEO  to  the  accounts  payable  clerk  must 
commit  to  following  proper  security  practices. 

DEFINING  YOUR  CULTURE 
Creating  a  culture  of  security  is  no  different  than 
creating  a  “culture  of  quality”  or  a  “culture  of  cus¬ 
tomer  service.”  The  initiative  can  come  from  any¬ 
where  in  the  organization  —  in  this  case,  likely  the 


CIO  or  Chief  Security  Officer.  But  senior  manage¬ 
ment  —  whoever  has  the  authority  to  administer 
recognition  and  rewards  —  must  promote  the 
change  by  consistently  communicating  the  busi¬ 
ness  implications  of  security,  and  enforcing  securi¬ 
ty  policies.  At  each  step  in  the  management  hier¬ 
archy,  says  (ISC)2’s  Murray,  supervisors  must  eval¬ 
uate  and  reward  those  who  report  to  them  based 
on  their  adherence  to  good  security  practices. 

And  there’s  no  room  for  breakdowns.  If  an 
employee  goes  to  a  manager  to  report  a  security 
lapse  and  is  brushed  off,  that  staffer  won’t  speak  up 
again.  Similarly,  if  management  preaches  the  impor¬ 
tance  of  passwords  but  then  casually  hands  out  the 
same  temporary  password  to  every  new  employ¬ 
ee,  “The  immediate  message  is  that  management 
doesn’t  take  this  very  seriously,”  Murray  says. 

“MAKING  CHANGES  IN  ANY 
ENVIRONMENT  NEEDS  TO  BE 
INCREMENTAL,  AND  IT  NEEDS 
TO  BE  DONE  CONTINUOUSLY. 
YOU  CANT  JUST  HAVE  A  SECURI¬ 
TY  AWARENESS  PROGRAM  THAT 
RUNS  FOR  TWO  MONTHS.” 

—  JOHN  COLLEY, VP/DIRECTOR  (ISC)2 

The  need  for  top-down  leadership  —  and  to 
ensure  security  spending  is  focused  on  the  most 
critical  risks  —  is  reflected  in  the  rise  of  chief  secu¬ 
rity  officers  (CSOs).  These  new  executives  boost 
efficiency  and  security  effectiveness  by  coordinat¬ 
ing  security  efforts  across  the  organization,  manag¬ 
ing  outsourcing  contracts  and  mapping  security 
measures  to  real  business  risks,  says  Steve  Hunt,  a 
Vice  President  at  Giga  Information  Group  in 
Chicago.  He  knows  of  about  80  CSOs  who  report 
to  the  CIO  level  or  higher  and  who  coordinate 
security  across  all  types  and  sizes  of  businesses. 
Hunt  expects  companies  to  increase  spending  on 
security  software  by  5  percent  this  year.“However, 
in  2002  proportionally  more  money  is  being  spent 
on  management  personnel  than  in  previous  years, 
as  part  of  an  effort  to  ensure  security  spending 
delivers  business  benefit.  The  move  to  CSOs  is 
part  of  this  trend,  and  is  working,”  Hunt  says. 


SI 


DOING  DUE  DILIGENCE 

BASIC  STEPS  TOWARD  CREATING  A  CULTURE  OF 

SECURITY  IN  YOUR  ORGANIZATION 

■  Identify  who  is  responsible  for  designing  and  imple¬ 
menting  your  information  security  policy. 

■  Communicate  that  policy  with  on-going  awareness  and 
training  programs;  establish  clear  expectations  for  man¬ 
agers  and  employees. 

■  Create  and  test  a  business  continuity  program  to  ensure 
survival  of  critical  data,  equipment,  and  networks  and  to 
keep  valuable  employees. 

■  Identify  and  control  critical  systems  with  password 
management,  installation  of  security  patches  and  fixes  of 
common  vulnerabilities.  Links  to  external  networks  may 
require  encryption,  firewalls,  authentication  and/or  intru¬ 
sion  detection  systems. 

■  Stay  vigilant  with  security  reviews,  audits,  and  vulnerabil¬ 
ity  assessments.  Monitor  vendors  and  the  Web  to  stay  cur¬ 
rent  on  latest  threats. 

■  Make  sure  the  board  of  directors  and  corporate  officers 
annually  review  the  status  and  outlook  of  your  information 
security  program. 

■  Provide  adequate  training  and  encourage  certification  of 
your  security  staff. 

Source:  (ISC)1 

REMINDERS  AND 
REINFORCEMENTS 
Micki  Krause,  Director  of  Information 
Security  at  a  healthcare  company  on  the 
West  Coast,  recently  saw  firsthand  how 
easily  security  breaches  can  occur.  She 
hired  outside  auditors  to  test  her  com¬ 
pany’s  security  awareness,  and  the  audi¬ 
tors  had  a  few  concerns.  In  one  case, 
auditors  found  staff  members  testing  a 
new  system  had  accidentally  exposed  the 
network  to  outside  hacks.  In  another, 
auditors  posing  as  support  staff  were 
able  to  get  1 6  of  22  employees  to  reveal 
their  user  IDs  and  passwords. 

Subsequently,  Krause  plugged  the  holes  in 
her  organization’s  security  procedures  — 
and  just  as  importantly,  she  also  rewarded 
the  six  employees  who  refused  to  disclose 
their  IDs  and  passwords  to  the  fake  “sup¬ 
port  staff.”  But  her  experience  illustrates 
that  even  with  top-down  awareness,  creat¬ 
ing  a  culture  change  doesn’t  happen 
overnight.  “Making  changes  in  any  environ¬ 
ment  needs  to  be  incremental,  and  it  needs 
to  be  done  continuously,”  says  John  Colley, 


a  London-based  Vice  President  and  mem¬ 
ber  of  the  board  of  directors  of  (ISC)2. 
“You  can’t  just  have  a  security  awareness 
program  that  runs  for  two  months.” 

Giga’s  Hunt  recommends  an  ongoing 
security-awareness  process  that  includes: 

B  Identifying  critical  information  assets 
and  risks 

S  Crafting  a  security  policy 
■  Implementing,  administering  and 
auditing  the  policy 
B  Continually  reassessing  risks. 

To  ensure  a  culture  of  security,  security 
proponents  and  managers  may  also  have 
to  change  some  of  their  own  behavior. 
Too  often  they  get  discouraged  after  a 
security  proposal  is  rejected  by  senior 
management  because  the  risk  may  not  be 
enough  to  justify  the  cost. “You’ve  got  to 
understand  ’no’  is  a  perfectly  appropri¬ 
ate  answer,”  says  Murray,  especially  since 
budget  conditions,  or  management’s  per¬ 
ception  of  the  risk,  are  subject  to  change. 
Department  managers  who  have  a  budg¬ 
et  all  got  it  the  same  way  — “They  asked 
for  it  and  got  told  no’  a  lot,”  he  says.  As 
long  as  the  risk  and  cost  are  explained, 
it’s  up  to  the  business  managers  to 
decide  whether  the  cost  of  the  security 
plan  is  too  high.  But  Murray  feels  it  is  up 
to  him  to  keep  raising  security  concerns 
so  business  managers  can  decide  how 
much  to  spend  to  reduce  their  risks. 

Most  companies  aren't  doing  enough  to 
create  a  culture  of  security,  says  Bruce 
Murphy,  CISSP  and  CEO  ofVigilinx,  Inc., 
a  provider  of  managed  security  services, 
consulting  and  security  related  informa¬ 
tion  in  Parsippany,  N.J.  “They  don't 
understand  the  value,  since  it  is  hard  to 
quantify”  the  hard-dollar  return  on 
security  spending.  Many  companies  also 
underestimate  the  importance  of  people 
and  processes  in  creating  a  culture  of 
security,  he  says. 

Krause  concurs,  saying  creating  a  culture 
of  security  involves  communication, 
rewards  and  incentives.  “In  fact,  security 
is  not  just  technology,  it’s  really  people 
and  processes.”  ■ 


The  Big  Picture 

INFORMATION  SECURITY 
PROBLEMS  ARE  GLOBAL,  BUT 
SOME  REGIONAL  SOLUTIONS 
ARE  UNIQUE 

Among  the  greatest 
security  challenges  now 
facing  senior  executives 
worldwide  are: 

8  The  increasing  sophistication  of 
network  security  threats,  and  the 
speed  at  which  they  change. 

8  The  ongoing  need  to  educate  staff 
about  the  importance  of  informa¬ 
tion  security. 

And  although  some  nations  and  agen¬ 
cies  are  crafting  unique  local  solutions, 
studies  show  that  most  businesses  are 
not  doing  enough  to  overcome  these 
common  global  problems. 

Among  recent  research  findings: 

■  Senior  Leaders  Recognize  the 
Threat.  In  a  fall  2001  survey  of 
459  CIOs  and  business  managers, 
Ernst  &  Young  found  that  70  per¬ 
cent  of  respondents  cited  ever- 
changing  and  increasingly  sophisti¬ 
cated  security  threats  as  their  top 
concern.  Employee  awareness  of 
security  threats  was  the  number 
two  challenge,  cited  by  66  percent 
of  the  respondents. 

8  Most  Companies  Aren’t  Doing 
Enough  to  Fight  Back.  In  a  sum- 


WHY  SPEND  ON  SECURI1 

HOWTO  JUSTIFY  COSTS  AND  SHOW  BE 
Potential  costs  of  lax  security: 

■  Lost  sales  due  to  system  downtime 

■  Loss  of  proprietary  customer  or  prodi 
information 

■  Drop  in  stock  price  due  to  security  bread 

■  Shareholder  lawsuits  over  lax  security 

■  Customer  lawsuits  over  loss  of  privacy 

■  Regulatory  penalties 


mer  2001  survey  conducted  by  CIO 
Magazine  and  Cambridge-Mass. -based 
digital  security  firm  @stake,  two- 
thirds  of  respondents  said  they  did  not 
have  a  well-defined  company-wide 
security  policy  or  plan. 

Faced  with  this  disconnect  between 
awareness  and  response  to  global  securi¬ 
ty  threats,  organizations  such  as  the 
International  Organization  for  Standard¬ 
ization  (ISO)  and  (ISC)2  are  working  to 
create  new  international  security  stan¬ 
dards.  The  European  Commission  has 
even  unveiled  a  plan  that  would  send 
hackers  and  writers  of  computer  viruses 
to  jail  for  years. 

But  just  as  vital  as  policy-making  is  edu¬ 
cation  —  making  global  business  leaders 
aware  of  the  risk  of  embarrassing  and 
costly  security  breaches,  as  well  as 
potential  shareholder  lawsuits  that  could 
hold  senior  management  personally 
responsible  for  such  breaches. 

SAFEGUARDING  PRIVATE  DATA 
Intrusions  and  viruses  aren’t  the  only 
issues  on  the  minds  of  global  business 
leaders.  Regional  privacy  laws  are  also  a 
concern  —  and  they  vary  by  nation.  In 
the  U.S.,  for  example,  the  Health 
Insurance  Portability  and  Accountability 
Act  (HIPAA)  prescribes  strict  standards 
for  how  healthcare  providers  must  pro¬ 
tect  patient  information.  But  other  priva¬ 
cy  standards  are  less  clearly  defined  in 
the  U.S.  and  elsewhere,  and  inconsistent¬ 
ly  enforced  from  country  to  country.The 
only  way  to  stay  on  top  of  and  within 
these  standards,  global  security  experts 
say,  is  for  companies  to  designate  staff  in 

S 

Potential  benefits  of  strong  security: 

■  Increased  sales  and  productivity 

■  Tighter  integration  with  customers,  suppliers 

■  Increased  customer  loyalty 

■  Competitive  advantage  over  less  secure  com¬ 
petitors 

■  Lower  premiums  on  “hacker”  insurance 

Source:  Strategic  Directions 


each  of  their  global  marketplaces  to 
understand  individual  countries’  rules 
and  ways  of  doing  business  so  processes 
can  be  adapted  to  meet  those  local 
requirements. 

Some  examples  of  regional  variances: 
some  European  countries  have  different 
definitions  for  what  constitutes  a  legally 
acceptable  digital  signature  for  an  online 
transaction.  And  while  the  European 
Union’s  Data  Privacy  Directive  prevents 
the  collection  of  most  personal  data 
unless  the  consumer  authorizes  it,  the 
laws  that  define  “informed  consent”  vary 
widely  from  country  to  country,  says 
John  Colley,  Vice  President  of  (ISC)2,  in 
London.  “What  may  be  perfectly  legal  in 
the  [United  Kingdom]  may  be  illegal  in 
Germany,  or  vice  versa,”  he  says. 

Enforcement  can  also  vary  across  global 
regions.  For  example,  while  Hong  Kong 
has  adopted  an  ordinance  similar  to  the 
EU’s  privacy  directive,  it  relies  on  com¬ 
panies  to  police  themselves  rather  than 
on  the  stricter  government  enforcement 
found  in  Europe. 

To  cope  with  the  differing  global  require¬ 
ments,  many  companies  that  do  business 
both  in  America  and  in  Europe  have 
established  “safe  harbors”  in  which  they 
promise  to  safeguard  private  data  about 
EU  consumers  under  the  laws  that  apply 
in  those  consumers’  countries.  But  rather 
than  using  technology  to  provide  special 
safeguards,  says  Colley,  the  safe  harbors 
are  usually  “legal  constructs  more  than 
anything  else,  based  on  trust  and  business 
expediency”  between  trading  partners. 

LEADING  THE  CHARGE 
Mindful  of  global  security  threats  —  and 
the  diversity  of  regional  solutions  being 
deployed  against  them  —  several  inter¬ 
national  agencies  are  at  work  on  various 
information  security  standards. 

The  International  Standards  Organ¬ 
ization  (ISO)  in  December  2000  released 
its  ISO  17799,  which  it  calls  “a  compre¬ 
hensive  set  of  controls  comprising  best 
practices  in  information  security.” The  10 
CISSP  domains,  which  are  closely  related 


to  the  ISO  control  areas,  include: 

IS  Access  Control  Systems  and 
Methodology 

S  Applications  and  Systems 
Development  Security 
Business  Continuity  Planning  (BCP)  & 

Disaster  Recovery  Planning  (DRP) 

■  Cryptography 

■  Law,  Investigations  &  Ethics 

■  Operations  Security 
SI  Physical  Security 

■  Security  Architecture  and  Models 
US  Security  Management  Practices 

■  Telecommunications  and  Network 
Security 

Clearly,  there  is  no  single  solution  to 
eliminate  the  global  security  threat,  but 
increased  awareness  and  action  will  min¬ 
imize  risk,  ii 

ALIGNING  SECURITY 
AND  BUSINESS 


10  QUESTIONS  TO  ASK  YOURSELF  ABOUT  SECURITY: 

I  •  Does  your  board  of  an  enabler?  (For  example,  by 
directors  recognize  that  implementing  effective  secu- 
information  security  is  a  rity,  could  you  enable  your 
board-level  issue  that  cannot  organization  to  increase  busi- 
be  left  to  IT  alone?  ness  over  the  Internet?) 


!•  Is  there  clear  accounta¬ 
bility  for  information  securi¬ 
ty  in  your  organization? 

3*  Can  your  board  mem¬ 
bers  articulate  an  agreed  set 
of  threats  and  critical  assets? 
How  often  do  you  review 
and  update  this? 

Do  you  know  how  much 
is  spent  on  information 
security  and  what  it  is  being 
spent  on? 

5.  What  would  be  the 
impact  on  the  organization 
of  a  serious  security  inci¬ 
dent? 

©•  Does  your  organization 
see  information  security  as 


W*  Has  your  business 
assessed  the  risk  of  getting  a 
reputation  for  slackness  in 
security? 

8*  What  steps  have  you 
taken  to  ensure  that  third 
parties  will  not  compromise 
the  security  of  your  organi¬ 
zation? 

9*  How  do  you  obtain  inde¬ 
pendent  assurance  that 
information  security  is  man¬ 
aged  effectively  in  your 
organization? 

I  O.  How  do  you  measure 
the  effectiveness  of  your 
information  security  activi¬ 
ties? 

Source:  Ernst  &  Young 


S3 


The  ROI  of  Certification 


SECURITY  CERTIFICATION  ISN’T 
JUST  A  COST;  IT’S  AN  INVESTMENT 

An  hour  a  day,  seven  days  a 
week,  for  nine  months. 
That’s  the  time  commit¬ 
ment  made  by  Chuck 
Bianco,  a  1 7-year  security 
veteran,  in  preparation  for  his  Certified 
Information  Systems  Security 
Professional  (CISSP)  certification  in 
November  2001.  “I’m  as  proud  of  that 
certification  as  anything  else  I’ve  done 
in  business,”  says  Bianco,  Manager  of  IT 
Examinations  for  the  U.S.  Treasury 
Dept,  in  Dallas.  But  more  than  just  new 
credentials  and  personal  pride,  this  cer- 


and  systems.  And  although  certified 
security  personnel  do  cost  more  money, 
the  ROI  is  pretty  clear,  experts  say. 
“You’re  buying  protection  in  case  of  a 
shareholder  lawsuit  resulting  from  a 
security  problem,”  says  David  Foote, 
President  and  Chief  Research  Officer  at 
research  and  consulting  firm  Foote 
Partners  in  New  Canaan,  Conn.”  Boards 
of  directors  are  getting  involved,  and 
they  realize  a  high-profile  Web  breach, 
or  a  privacy  breach,  could  harm  the  rep¬ 
utation  of  a  company  and  impact  rev¬ 
enues,”  Foote  says.  “By  saying  you  have 
the  CISSP  on  staff,  you  can  show  you 
took  prudent  and  reasonable  precau¬ 
tions  —  you  did  the  best  you  could,” 
Foote  says. 


line  study  guides  for  its  certification 
exams. 

More  than  showing  off  the  proper  skills, 
security  certification  tells  an  employer  a 
security  professional  is  truly  knowledge¬ 
able  and  experienced  in  the  field,  rather 
than  someone  who  has  just  read  some 
books  and  can  use  the  proper  buzz¬ 
words,  says  Tipton,  who  is  now  a  Security 
Instructor  and  Administrator  of  security 
training  programs. 

Employing  certified  security  profession¬ 
als  also  helps  protect  senior  manage¬ 
ment,  which  can  be  held  personally  liable 
if  they  fail  to  take  proper  security  pre¬ 
cautions  required  by  law,  he  says. 


WORLDWIDE  SECURITY  SPENDING 
ONTHE  RISE 


For 

Security 

Software... 


$6  billion 


$14.6  billion 
(estimated) 


2001 


2006 


...And  For 
Managed 
Security  Services 


$2.2  billion 
(estimated) 

$720 


2000  2005 

Source:  International  Data  Carp. 


tification  has  given  Bianco  a  strategic 
new  position  at  a  key  time  in  his  enter¬ 
prise’s  battle  against  information  securi¬ 
ty  threats. 

People  such  as  Bianco  are  a  hot  com¬ 
modity  these  days.  In  an  increasingly 
security-conscious  world,  CIOs  need 
professionals  like  Bianco  who  have  the 
certified  skills  to  secure  corporate  data 


The  CISSP  certification  is  granted  by  the 
International  Information  Systems 
Security  Certification  Consortium 
(ISC)2,  a  non-profit  security  association 
in  Framingham,  Mass. The  certification  is 
“like  a  badge  of  honor”  that  promises  its 
holder  can  be  trusted,  says  Victor  Keong, 
a  partner  in  the  Security  Services 
Practice  of  Deloitte  &  Touche  in 
Ontario,  Canada.  “When  we  do  security 
consulting,  the  customer’s  prime  con¬ 
cern  is  'are  my  secrets  safe?”’ 
Certification  can  help  assure  them  the 
security  professional  they  hire  is  not 
himself  a  hacker,  he  says. 

Along  with  three  years  of  practical 
experience,  CISSP  exam  applicants  need 
in-depth  knowledge  of  the  10  domains 
within  (ISC)2’s  Common  Body  of 
Knowledge  (CBK).The  CBK  is  a  central, 
standard  list  of  key  security  knowledge. 
Domains  within  the  Common  Body  of 
Knowledge  include  security  architec¬ 
ture  and  models,  cryptography,  opera¬ 
tions  security,  access  control  systems, 
and  law  and  ethics.  Hal  Tipton,  a  former 
(ISC)2  president,  describes  the  CBK  as 
the  topics  a  security  professional“needs 
to  know  enough  about  so  they  can 
carry  on  an  intelligent  conversation 
with  their  peers.” 

(ISC)2  also  offers  review  courses  and  on- 


“Top  management  doesn’t  have  the  time 
to  really  study  all  these  things  and  under¬ 
stand  what  the  requirements  are,”  Tipton 
says.  “That  should  be  up  to  the  qualified 
security  people  on  their  staff,  and  certifi¬ 
cation  is  a  way  of  being  assured  they  are 
properly  qualified.”  ■ 

YOUR  RESOURCE  FOR 
MORE  CISSP 
INFORMATION 

Contact  us  at: 

(ISC)2  Inc. 

(888)  333-4458  (North  America) 
(727)  738-8657  (North  America) 

|21 — I  (727)  738-8522  (North  America) 

Q - 1  info@isc2.org 

Q — I  www.isc2.org 

When  contacting  (ISC)2,  please  provide 
your  name,  full  mailing  address,  tele¬ 
phone  and  fax  numbers,  and  your  e-mail 
address. 

(ISC)2  is  a  trademark  and  the  CISSP  cer¬ 
tification  is  a  registered  trademark  of 
the  International  Information  Systems 
Security  Certification  Consortium,  Inc. 


S4 


Attend  the  Digital  Identity  Event  of  2002 

and  find  out  why  Digital  Identity  is  front  and  center 
when  it  comes  to  security,  privacy  and  network 
manageability.  It's  your  identity,  join  the  discussion. 


Expert  identities  speak... 


Gordon  Eubanks 
CEO 

Oblix 


Brian  Arbogast 
VP.  NET  Core 
Services  Platform 

Microsoft 


Andy  Eliopoulos  Mahi  deSilva 

Sr.  Dir.  Product  VP  Corp.  Tech. 

Marketing  -  Identity  Strategy 

Sun  Microsystems  VeriSign 


Ed  Anderson 
Dir.  Prod.  Dev. 
Identity 

Novell 


Mark  Ford  Steven  Sprague 

Principal  -  Security  CEO 
Services  Wave  Systems 

Deloitte  &  Touche 


Ram  Banerjee 
Head  Global 
Product  Marketing 

ActivCard 


Stuart  Taylor 
VP  Marketing 

Verifone 


Tony  Scott 
CTO 

General  Motors 


Phil  Windley 
CIO 

State  of  Utah 


Executive  Committee 


Michael  Serbinis 

Ron  Schmeizer 

Phil  Griffin 

Esther  Dyson 

Jesse  Berst 

Dave  Chen 

Jamie  Lewis 

CTO 

Founder 

Biometrics 

Chairman 

Managing  Director 

Partner 

CEO 

Critical  Path 

Zapthink 

Committee  Chair 

EOventure 

Athena  Institute 

OVP  Venture 

The  Burton 

OASIS 

Holdings 

Partners 

Group 

Brad  Feld 

Mobius  Venture 
Capital 


Alex  Tosheff 

St.  Paul  Venture 
Capital 


Walter  Knapp 

Novell  Technology 
Capital 


* 


Media  Sponsors 


A  PingID  BASIS  S!f*c 


Rick  Patch 

Sequel  Partners 


Maxine  Most 

Biometrics  Market 
Intelligence 


Gus  Tai  Allen  Weinberg 

Trinity  Ventures  Glenbrook 

Partners 


The  Radicati  Group,  Inc. 

A  TECHNOLOGY  AND  MaKKI.I  REM  AIK  H  FIRM 


BOmETRICB 


ID  Management 
ID  Standards 
Security  and  Privacy 
National  ID  Cards 
Biometrics 
Smart  Cards 
Digital  Signatures 
Digital  Certificates 
Trust  Services 
Digital  Reputations 
Business  Models 
Market  Trends 
Web  Services 

_  , 


DIGITAL  ID  WORLD 

CONFERENCE  2002 

Identity  Crisis:  Taming  the  Network 


Register  Online:  www.didw.com/conference 


Denver,  Colorado 
Oct  9-1 1,2002 


TALKING  HEADS 


Policy  Mandates 

IN  JULY,  A  NEW  government  policy  took 
effect  quietly— as  these  things  often  do.  But 
the  effect  of  the  policy,  called  NSTISSP 
No.  11,  will  be  heard  loud  and  clear. 

NSTISSP  (pronounced  nissTISSip)  No.  11 
stands  for  National  Security  Telecommuni¬ 
cations  and  Information  Systems  Security 
Policy  Number  11.  It  dictates  that  before  the 
government  buys  or  creates  any  software  to 
be  used  in  a  national  security  setting,  it 
must  first  test  the  software  to  ensure  it  can 
pass  one  of  the  following  security  criteria: 

■  The  International  Common  Criteria  for 
Information  Security  Technology 
(ICCIST) 

■  The  National  Security  Agency 
(NSA)/National  Institute  of  Standards 
and  Technology  (NIST)  National  Infor¬ 
mation  Assurance  Partnership  (NIAP) 
Evaluation  and  Validation  Program 

■  The  NIST  Federal  Information  Process¬ 
ing  Standard  (FIPS)  validation  program 

Confusing  acronyms  aside,  the  bottom 
line  is:  If  software  fails  a  security  test  by  an 
independent  third  party,  it  won’t  be  pur¬ 
chased  until  it  passes  the  test.  “It’s  a  big 
deal.  The  government  really  seems  to  mean 
it  now,”  says  Mary  Ann  Davidson,  CSO  of 
Redwood  City,  Calif. -based  Oracle. 

What  Davidson  is  alluding  to  is  the  fact 
that  the  government  has  been  trying  to 
employ  a  uniform  policy  since  1990,  when 
(warning:  more  acronyms  coming)  National 
Security  Directive  No.  42  dictated  the  cre¬ 
ation  of  a  committee  (the  National  Security 
Telecommunications  and  Information  Sys¬ 
tems  Security  Committee,  NSTISSC)  to 
draft  such  a  policy.  But  for  years,  vendors 
used  loopholes  to  sidestep  the  process  and 
obtained  waivers  from  testing. 

The  significance  of  NSTISSP  No.  11  is 
that  it  appears  the  government  is  serious 
this  time,  that  it  is  drawing  a  line  in  the 
sand— waivers  will  be  much  harder  to  come 
by  (though  some  will  still  be  obtained).  The 
message  from  the  government  is  simple: 
Secure  your  software,  or  we  won’t  buy  it. 

-Scott  Berinato 


J 


ivq^ai 

sacrifice 

security. 


e.hav< 
ction; 


or 


-RICHARD  GEORGE,  TECHNICAL  DIRECTOR  OF 
THE  SECURITY  EVALUATIONS  GROUP  AT  THE  NSA, 
ON  THE  BALANCE  BETWEEN  PRODUCT  FEATURES 

AND  PRODUCT  SECURITY 


D 


!Se  c 
f 


\ 


i f 


Security  Blueprints 

ENGINEERING  How  do  you  design  an 
office  building  that  protects  inhabitants 
from  explosions  and  chemical  warfare 
without  creating  a  structure  that  looks  like 
a  high-rise  bomb  shelter? 

At  Weidlinger  Associates,  a  New  York 
City-based  structural  engineering  com¬ 
pany  with  50  years  of  experience  in  pro¬ 
tecting  buildings,  Peter  DiMaggio’s 
clientele  have  historically  been  high-risk 
entities  such  as  government  buildings  and 
labs  that  do  animal  testing,  but  that’s  no 


longer  the  case.  “Collateral  damage  has 
become  a  big  issue,"  DiMaggio  says.  “In 
the  cases  of  the  Murrah  Building  in  Okla¬ 
homa  City  and  the  World  Trade  Center,  a 
large  number  of  buildings  in  the  general 
area  sustained  a  lot  of  damage.”  Compa¬ 
nies  that  have  high-rise  buildings  or  loca¬ 
tions  in  the  vicinity  of  possible  targets 
want  to  mitigate  physical  risk.  Here  are 
design  steps  that  companies  can  take  to 
safeguard  new  facilities  or  retrofit  current 
buildings. 

1.  Control  vehicle  proximity  to  the 
building  when  possible.  This  is  accom¬ 
plished  by  placing  bollards  or  large 
planters  around  the  perimeter  to  create  a 
cushion  of  space  between  the  facility  and 
an  explosion. 

2.  Move  air  intake  grilles  from  the 
street  to  the  roof  to  protect  the  air  supply 
from  chemical  and  biological  agents. 

3.  Strengthen  columns  and  floor  slabs 
so  that  the  building  maintains  its  struc¬ 
tural  integrity  in  the  event  of  an  explosion. 
If  a  building  can  remain  standing  for  even 
one  or  two  hours  before  it  collapses,  that 
can  make  a  difference  in  the  human  toll. 

4.  Work  with  architects  to  provide  a 
greater  degree  of  fireproofing. 

5.  Use  laminated  glass— the  kind 
found  in  car  windshields— on  the  exterior 
of  the  building  to  protect  personnel  inside. 

All  of  these  steps  enhance  a  building’s 
security  without  compromising  cost  or 
aesthetics.  “If  you  start  backing  away 
from  great  architecture  for  the  sake  of 
security,  then  we’ve  already  lost  the  battle 
to  the  terrorists,"  DiMaggio  says. 

-Daintry  Duffy 


22  www.csoonline.com  September  2002 


ILLUSTRATION  BY  BELLE  MELLOR 


Qfirim 


Phone:  954.958.3878  •  e-mail:  info@cyberguard.com  •  For  white  papers  on  Rock  Solid  Security  go  to:  www.cyberguard.com/rocksolid.cfm  j 

Copyright  2002  CyberGuard  Corporation.  All  rights  reserved.  M 


CyberGuard’s  security  solutions  are  found  in  Fortune  1000  companies  and  governments 
worldwide.  CyberGuard's  award-winning,  premium  firewall/VPN  appliances  maintain 
complete  separation  of  network  traffic  from  system  components. 


CYBERG==ARD 

*  WORLDWIDE 

DEFEND  YOUR  DOMAIN 


aiauctae 

arriens  use 
to  route  billions  of  telephone 
calls  daily  and  run  both 
the  .us  and  .biz 
tth.  registries. 


“Ne 


I  MeuStar’s  unique  service  and  position  in  the  telecommunications  industry  make  it  a  target  of  attacks.  We  need  ‘rock 
solid’  security  and  a  vendor  who  understands  what  that  means.  CyberGuard  was  the  first  in  the  world  to  achieve  EAL4 
certification  for  its  firewall  appliances;  that  really  impressed  us.  *  * 


“We  knew  they  would  be  capable  of  providing  the  level  of  sophisticated  security  support  we  needed  and  we  have  not  been 
disappointed;  their  technical  support  team  knows  security  and  CyberGuard’s  ability  to  deliver  on  everything  they  promised 
enabled  us  to  meet  our  tight  deadline  for  deliverables.  Today  we  have  CyberGuard’s  firewall  appliances  in  three  countries. 


“I  have  an  experienced  team,  but  on  more  than  one  occasion  I  had  to  enlist  the  help  of  a  junior  engineer  to  install  the  firewall. 
I  was  able  to  talk  them  through  the  process  over  the  phone.  I'm  happy  to  report  that  those  systems  have  been  functioning  in 
a  production  environment  for  over  one  year  without  a  hitch.  And  CyberGuard  rocks  the  competition  in  the  performance  impact 
category. " 


SAFETY  IN  NUMBERS: 
COMMUNICATION 


All  Together  Now 


A  selection  of  faces  from  PassFaces,  Real 
User’s  facial  recognition  password  system 


Despite  a  renewed  interest  in 
communication  between  corpo¬ 
rate  security  staffs,  few  compa¬ 
nies  have  established  lasting 
lines  of  communication. 

At  your  company,  how  often  do  information 
security  staff  and  physical  security  staff 
work  together? 


Put  Your 
Best  Face 
Forward 

PASSWORDS  ARE  REQUIRED 
for  so  many  of  our  daily  activities  that 
it’s  become  impossible  to  remember 
which  website  or  account  is  accessed 
with  the  name  of  a  beloved  pet  and 
which  with  a  parent’s  birthday.  The 
result  is  that  people  jot  their  passwords 
on  sticky  notes,  slap  them  on  their  com¬ 
puter  for  anyone  to  read,  and  create  a 
CSO’s  security  nightmare. 

But  what  if  passwords  used  pictures 
instead  of  text?  Microsoft  is  developing 
an  image-based  password  system  that 
involves  an  intricate  painting,  an 
anatomical  drawing  of  the  body  or  a  col¬ 
lection  of  presidential  portraits.  Users 
choose  certain  parts  of  the  image  as 
their  password  and  must  click  on  them 
in  the  proper  order  for  the  password  to 
clear.  On  a  portrait  of  George  Washing¬ 
ton,  for  instance,  the  user  could  click  on 
his  left  nostril,  right  earlobe  and  the  top 
button  on  his  jacket.  Since  password 
privacy  is  easier  to  ensure  with  an  image 
that  contains  a  lot  of  detail,  Microsoft’s 
program  will  evaluate  the  user’s  chosen 
image  to  ensure  that  it  is  complex 
enough. 

However,  random  pictures  can  still 
present  a  security  problem  when  the 
series  of  clicks  is  recorded  on  a  Post-it. 

A  Washington,  D.C. -based  company 
called  Real  User  believes  it  has  over¬ 
come  that  problem  with  PassFaces,  a 
facial  recognition  security  program. 
PassFaces  assigns  each  user  five  random 
faces.  Users  have  to  memorize  the  faces, 
and  each  time  they  log  on  they  must 
choose  the  same  faces  from  a  palette 
containing  decoy  faces.  PassFaces  uses  a 
part  of  the  human  brain  that  specifically 
recognizes  and  remembers  faces,  says 
Real  User  CEO  Paul  Barrett,  and  that 


cuts  down  on  security  vulnerabilities. 
“Once  you’re  familiar  with  the  faces, 
you’ll  never  forget  them,”  he  says.  “You 
can’t  write  down  faces  or  describe  them 
easily  to  someone  else,  and  you  can’t 
write  down  where  your  faces  are  located 
on  the  screen  because  they’re  in  a  differ¬ 
ent  position  each  time  you  log  on.” 

By  using  face  recognition,  the  chance 
of  someone  looking  over  your  shoulder 
to  memorize  your  password  is  reduced, 
and  PassFaces  won’t  assign  the  same 
combination  of  faces  to  anyone  else. 

That  makes  life  a  lot  easier  for  users  and 
security  executives  alike. 

-Simone  Kaplan 


Not  applicable 

SOURCE:  FORRESTER  RESEARCH,  “I.T.  SECURITY  FAILS-NOW 
WHAT  SHOULD  THE  CIO  DO?"  TOTAL  N=82 

For  more  on  communication  between  the  IT  and 
physical  security  teams,  see  “Taming  the  Two- 
Headed  Beast,”  Page  40. 


Government  Fingerprint  of  Approval 

BIOMETRICS  It  is  this  generation’s  voice  recognition  software.  It’s  always  about  to 
become  ubiquitous.  Every  year  is  “The  Year  of  Biometrics."  But,  for  reasons  sensible  and 
not,  it  never  quite  achieves  entrenchment.  Instead,  it  fills  niches.  (For  a  comprehensive 
analysis,  see  “Biometrics  Slouches  Toward  the  Mainstream,”  Page  63.) 

No  shame  in  that.  Executives  using  retinal  scans  to  access  e-mail  seems  like  vain  overkill 
anyway.  But  using  it  to  access,  say,  NASA  research  facilities  could  be  beneficial.  No  industry 

has  to  move  so  much 
confidential  information 
or  provide  access  to  so 
many  sensitive  loca¬ 
tions  as  the  govern¬ 
ment,  so  biometrics  fit 
naturally  in  that  niche 
and  provide  better 
authentication  than  just 
passwords  or  key  cards. 
The  new  focus  on  home¬ 
land  security  has  only 
increased  the  interest  in 
using  biometrics  in  the 
government.  Here’s  a 
sample. 

-Scott  Berinato 


Agency 

Biometrics  in  use  or  in  trial 

Notes 

Federal  Aviation 
Administration 

Face  scan,  voice  print, 
fingerprint,  hand  geometry, 
iris  scan 

Part  of  a  larger  effort  known 
as  Aviation  Security  Biomet¬ 
rics  Working  Group 

Immigration  and 
Naturalization  Service 

Hand  geometry,  voice  print 

Border  crossings  are  adding 
biometrics 

State  of  Connecticut 

Fingerprint 

Used  to  prevent  welfare 
fraud 

Office  of  Legislative 

Counsel,  House  of 
Representatives 

Iris  scan 

One  official  says  using 
biometrics  to  secure  sensi¬ 
tive  documents  will  get  the 
office  out  of  “password  jail" 

National  Institute  of 
Standards  and  Technology 

Face  scan 

Leading  an  effort  on  behalf 
of  14  government  agencies 
to  vet  facial  recognition 
systems 

SOURCE:  FEDERAL  COMPUTER  WEEK  AND  GOVERNMENT  REPORTS 


24  www.csoonline.com  September  2002 


•  Chief  Security  Officer 

•  Chief  Information 
Security  Officer 

•  Information  Risk  Manager 


•  Security  Architect 

•  Cyber  Forensic  Specialist 

•  Intrusion  Detection  Specialist 

•  Information  Security  Sales  Executive 


L.  J.Kushner 

&  Associates ,  L.L.C. 

'  '  •'  ’  • 

Securing  Your  Success 


There’s  a  reason  why  we  are  the  leader 
In  Information  Security  Recruitment. 

That’s  all  we  do. 


Voice:  732.577.8100 

: 

Fax:  732.577.8277 


'  ■  l:  V.  '■  .  /  V  . 

it  *.«  •  ..  ■■ ■. 

.... _ im . i . . . 


The  Who,  What  and  Why  of  Washington 

Top  Billing 


NEWS  FROM  INSIDE  THE  BELTWAY 


No  More  Secrets 

Why  debate  over  the  proposed  FOIA  exemption  is  raising  fears  of 
more  corporate  chicanery  By  Julie  Hanson 


HE  PROPOSED  OFFICE  of  Homeland 
Security’s  massive  attempt  to  protect  the 
country  includes  legislation  designed  to  cre¬ 
ate  open,  yet  secure,  lines  of  communication 
between  the  government  and  the  private  sec¬ 
tor.  To  do  that,  federal  officials  plan  to 
exempt  information  that 
businesses  provide  to  the 
government  about  security 
breaches,  hacks  and  other 
critical  infrastructure  vul¬ 
nerabilities  from  the  Free¬ 
dom  of  Information  Act 
(FOIA). 

FOIA  requires  the  gov¬ 
ernment  to  disclose  re¬ 
quested  records,  but  the 
proposed  exemption  would 
specifically  protect  the  pri¬ 
vate  sector  from  security  and 
infrastructure  disclosures. 

FOIA  private  sector  exemp¬ 
tions  were  approved  by  the  House  in  late 
July,  and  the  Senate  is  expected  to  review  the 
legislation  this  month. 

Debate  over  the  exemption  has  been 
heated.  Technology  advocates  say  the  exemp¬ 
tion  is  critical  for  encouraging  the  voluntary 
reporting  of  confidential  information.  But 
privacy  advocates  feel  that  the  exemption  is 
excessive  and  instead  will  encourage  corpora¬ 
tions  to  keep  more  secrets  from  shareholders 
and  customers. 

David  Sobel,  general  counsel  for  the  Elec¬ 
tronic  Privacy  Information  Center  (EPIC), 
says  existing  exemptions  contained  in  FOIA 
already  provide  protection.  For  example,  cur¬ 
rently  under  FOIA,  if  a  company  considers 
information  confidential,  it  can  oppose  the 
release  of  that  information.  Sobel  claims 
exemption  proponents  have  yet  to  cite  an 
instance  where  the  government  has  disclosed 


information  against  the  wishes  of  a  company. 

Open  knowledge  of  security  flaws  is  the 
fastest  way  to  correct  them.  We  should  not 
sweep  this  information  under  the  rug,  says 
Sobel,  who  testified  before  Congress  that  “if  a 
company  is  willing  to  fudge  its  financial  num¬ 
bers  to  maintain  its  stock 
price,  it  would  be  similarly 
inclined  to  hide  behind  a 
‘critical  infrastructure’ 
FOIA  exemption.” 

But  Harris  Miller,  presi¬ 
dent  of  the  Information 
Technology  Association  of 
America  (ITAA),  dis¬ 
agrees,  calling  the  exemp¬ 
tion  “the  linchpin  between 
breaking  down  the  walls 
of  information  sharing 
and  private  business.” 

According  to  Miller, 
several  companies  claim 
that  current  exemptions  do  not  cover  security 
information,  and  they  worry  that  the  sensitive 
information  they  give  to  the  government  will 
end  up  on  the  front  page  of  The  Wall  Street 
Journal. 

Legislators  say  their  intention  is  to  achieve 
openness,  not  let  people  off  the  hook  for  cor¬ 
porate  blunders.  A  House  Select  Committee 
statement  reports  that  “when  individuals  and 
businesses  provide  new  information  to  the 
[Office  of  Homeland  Security]  so  that  the 
secretary  [of  that  office]  can  assess  vulnera¬ 
bilities,  that  information  will  be  protected”— 
a  bold  statement  considering  that  the  govern¬ 
ment  is  frequently  unable  to  keep  its  own 
security  secrets,  let  alone  someone  else’s.  ■ 


For  updates  on  FOIA  legislation,  visit  our  website  at 

www.csoonline.com/wonk. 


A  Freedom  of  Information  Act 
(FOIA)  exemption  would  protect  the 
private  sector  from  security  and  infra¬ 
structure  disclosures  (see  story,  left). 

Increased  penalties  for  computer 
crimes  were  almost  unanimously 
approved  (385-5)  by  the  House  through 
the  Cyber  Security  Enhancement 
Act  (H.R.  3482).  Under  this  bill,  if  the 
offender  “knowingly  causes  or  attempts 
to  cause  death  or  serious  bodily  injury" 
via  a  computer  crime,  the  penalty  could 
be  life  in  prison.  The  Senate  Judiciary 
Committee  is  reviewing  the  bill. 

A  national  privacy  officer  is  part  of  pro¬ 
posed  Office  of  Homeland  Security 

legislature  (H.R.  5005)  approved  by  the 
House  (295-132).  The  House  bill  recom¬ 
mends  the  officer  assume  primary 
responsibility  for  evaluating  legislative 
proposals  involving  collection,  use  and 
disclosure  of  personal  information  by 
the  federal  government. 

The  House  and  Senate  approved 
funding  for  IT  initiatives  as  part  of  a 
$28.9  billion  emergency  wartime 
supplement.  Approved  funding  will 
include  $175  million  for  FBI  initiatives, 
including  IT;  $201  million  for  first- 
responder  grants  in  the  Department  of 
Justice;  and  $5.5  billion  in  attack  recov¬ 
ery  assistance  to  New  York  City. 

The  creation  of  a  "national  emergency 
technology  guard”  was  approved  by  the 
Senate  through  the  Science  and 
Technology  Emergency  Mobiliza¬ 
tion  Act  (S.  2037).  The  guard  will 
recruit  IT  experts  and  develop  innova¬ 
tive  technologies.  The  act  also  creates 
the  Center  for  Civilian  Homeland  Secu¬ 
rity  Technology  Evaluation,  a  national 
clearinghouse  to  evaluate  technologies 
relating  to  security.  The  House  is 
reviewing  the  bill. 


26  www.csoonline.com  September  2002 


PHOTO  LEFT  BY  DECLAN  MCCULLOUGH;  TOP  BY  GETTYONE 


The  Choice  is-EftSYf 

e'Ait  1 

How  do  you  Unify  Security  Across  the  Extended  Enterprise? 


EASI  Secures: 

Web  Services 

Applications  using  Trust  Management 
Access  across  Multiple  Tiers 
End-to-End  Transactions 
Using  Standards-based  Technologies 


A 


I 


(V'V 


EASI  Cuts  Costs  hy\. 

Leveraging  Currently  Deployed  Security  Products 
Eliminating  Repetitive  Custom  Integrations 
Accelerating  Secure  Deployment  of  Revenue  Generating  Applications 

Introducing 

EASI  Security  Unifier™ 

The  Leader  in  Enterprise  Application  Security  Integration 


©  Qjjadrasis 

We  Unify  Security 

www.quadrasis.com 

888-569-3803 


TREND 

MICRO 


If  left  alone,  technology  will  do  what  it  was  originally  designed  to  do.  Nothing 
more  and  nothing  less.  Forever.  But,  in  reality,  every  single  moment  of  every 
single  day  is  as  different  as  the  last. 


Technology 
the  future. 


©2002  Trend  Micro  Incorporated.  All  rights  reserved.  Trend  Micro  Inc.  and  the  T-ball  logo  are  trademarks  of  Trend  Micro  Inc. 
and  registered  in  certain  jurisdictions.  All  other  brand  and  product  names  are  the  registered  trademarks  of  their  companies. 


* , 


Intuition  is  the  application  of  knowledge  based  on  experiences,  patterns  and  trends.  Only  when 
technology  is  combined  with  the  human  ability  to  create  new  strategies  can  information  be 
protected.  Intuitive  Information  Security  melds  human  intuition  and  adaptive  technology  together 
to  create  evolving  strategies.  Ones  able  to  protect  information  and  anticipate  threats  across 
the  entire  network  instantly.  Now,  and  well  into  the  future.  For  more  information,  please  visit 
trendmicro.com/go-red. 


Wmm  wt  w 


..  v  ..  .  .-.v  i V  ■f'.S.Hiiut  *■  • 

"■  ..  •  •  :-j  ft  ■  r  • 

•-O.W  ’ 

i  •'  ■  "  ,  ;*  T  •'  1 

1  ns  ■ 

•  ' 

'  r;  " ■ 


Km 


■  §»  ^  ■'  '  •  ‘  i 


cannot  prepare  us  for 
It  is  incapable  of  intuition. 


Security  Counsel 


Disaster  Recovery 
Redefined 

OppenheimerFunds’  Mike  Hager  answers  readers’ 
questions  about  planning  for  the  unpredictable 
Edited  by  Kathleen  Carr 


Q:  How  did  Sept.  11th  affect  the  way  you  approach  disaster  recovery?  What 
changes  have  you  made  in  your  continuity  planning  as  a  result? 

A:  The  greatest  impact  of  Sept.  11th  on  disaster  recovery  was  the  realization 
that  we  need  to  look  at  recovery  not  just  as  a  technology  issue  but  as  a  business 
issue.  Does  the  term  recovered  mean  that 
systems  are  up  and  operational,  data 
from  the  most  recent  backup  tape  has 
been  restored,  and  you  can  now  input 
data?  Or  is  something  missing?  Compa¬ 
nies  that  worked  in  the  financial  world 
were  a  large  part  of  the  World  Trade 
Center.  For  these  businesses,  their  plans 
need  to  include  not  only  how  to  bring 
the  technology  back  online  but  how  to 
get  the  data  current. 

Another  issue  that  surfaced  shortly 
after  the  attacks  on  Sept.  11th  was: 

Where  do  people  work  now?  The  World 
Trade  Center  had  provided  more  than 
20  million  square  feet  of  office  space, 
and  after  Sept.  11th  there  was  only 
10  million  square  feet  of  office  space 
available  in  Manhattan.  The  issue  of 
where  employees  go  immediately  after  a  disaster  and  where  they  will  be  housed 
during  recovery  must  be  addressed  before  something  happens,  not  after. 

The  last  issue  that  surfaced  after  Sept.  11th  was  employee  disaster  education. 
This  education  must  occur  at  all  levels  within  the  company.  Employees  must 
know  exactly  what  they  are  supposed  to  do  in  case  of  a  disaster,  and  be  drilled 
in  those  activities  to  reinforce  it. 

Q:  What  are  the  top  mistakes  that  CSOs  make  in  disaster  recovery? 

A:  There  are  several  major  mistakes  made  in  disaster  recovery  today.  These 
include: 

1.  Inadequate  planning:  Have  you  identified  all  critical  systems,  and  do  you 
have  detailed  plans  to  recover  them  to  the  current  day? 

2.  Failure  to  bring  the  business  into  the  planning  and  testing  of  your  recovery 
efforts. 


3.  Failure  to  gain  support  from  senior-level  managers  on 
the  need  for  recovery.  The  largest  problems  here  are: 

■  Not  demonstrating  the  level  of  effort  required  for 
full  recovery. 

■  Not  conducting  a  business  impact  analysis  and 
addressing  all  gaps  in  your  recovery  model. 

■  Not  building  adequate  recovery  plans  that  outline 
your  recovery  time  objective,  critical  systems  and 
applications,  vital  documents  needed  by  the  busi¬ 
ness,  and  business  functions  by  building  plans  for 
operational  activities  to  be  continued  after  a  disaster. 

4.  Not  having  proper  funding  that  will  allow  for  a 
minimum  of  semiannual  testing. 

Q:  What  advice  would  you  give  to  security  executives 
who  need  to  convince  their  CEO  or  board  of  the 
need  for  disaster  recovery  plans  and  capabilities? 

What  arguments  are  most  effective  with  an  executive 
audience? 

A:  If  the  events  of  Sept.  11th  were  not  enough  to  con¬ 
vince  your  CEO  or  board  members  that 
there  is  a  need  to  develop  disaster  recov¬ 
ery  plans  and  capabilities,  then  I  don’t 
know  what  will  be  enough.  You  must 
address  the  need  for  disaster  recovery 
through  analysis  and  documentation  of 
the  potential  financial  losses  your  com¬ 
pany  would  risk  if  something  happened 
and  you  were  unable  to  recover.  Work 
with  your  legal  and  financial  depart¬ 
ments  to  document  the  total  losses  per 
day  that  your  company  would  face  if  you 
were  not  capable  of  quick  recovery.  By 
thoroughly  reviewing  your  business 
continuance  and  disaster  recovery 
plans,  you  can  identify  the  gaps  that 
may  lead  to  a  successful  recovery.  How 
to  convince  the  senior  leadership  to 
fund  your  activities  will  become  clear 
when  you  apply  the  financial  losses  per  day  for  each 
occurrence.  Remember:  Disaster  recovery  and  business 
continuance  are  nothing  more  than  risk  avoidance. 
Senior  managers  understand  more  clearly  when  you 
can  show  them  how  much  risk  they  are  taking.  ■ 

Mike  Hager  is  vice  president  of  network  security  and  disaster  recovery 
for  OppenheimerFunds. 

Have  a  security  topic  to  suggest  or  an  expert  you'd  like 
to  hear  from?  Send  your  thoughts  to  csoletters^cxo.com. 
See  what  your  peers  are  discussing  at  www.csoonline 
.com/counsel. 


30  www.csoonline.com  September  2002 


PHOTO  BY  GEOFFREY  WHEELER 


©  2002  ADT  Security  Services,  Inc, 


W  ,.*l>  I 


*«®8t 


mnmmmn 


mm 

111 


mm 


.1®-. 


Workplace  Violence 


Information  Loss 


Employee  Backgrounds 


Surveillance 


Access  Control 


Risk  Liability 


Bio-Terrorism 


Unspecified  Threats 


.  v.  ....  ,  .  ;  v. 


ARE  YOU  STILL  RELYING  ON  TRADITIONAL  SECURITY? 


The  world  has  changed.  As  security  professionals,  we  now  have  to  be  prepared  for  anything,  including  the  unspecified  and  the 

unthinkable.  It’s  an  enormous  responsibility,  but  one  that  doesn’t  have  to  be  yours  alone.  We  understand  how  your  job  is  more 

.  >. 

important  now  than  ever  before,  and  we  want  to  help.  Let  us  get  to  know  your  business  and  your  concerns.  Then  we’ll  draw  from 

_  .  •  ;  ;■  \\  '•  ^  :  V:;:.,..  '-  ;  Y  v V C  T- ’* , 

the  broadest  range  of  products  and  experience  available,  including  the  latest  in  digital  video  and  access  control.  All  to  create  a  solution 

\  'i  | -v. ;r.>YY' 

that  meets  the  unique  security  needs  of  your  company.  Getting  in  touch  is  easy.  Just  call  us  at  1-  877-258-6424  or  visit  adt.com. 

And  when  everybody  looks  to  you  for  peace  of  mind,  look  to  us.  ADT.  Always  there. 


Who’s  Responsible  for 
Being  Responsible? 

Our  law,  ethics  and  privacy  columnist  weighs  in  on  taking 
security  responsibility  to  the  top  of  the  corporate  ladder 

By  David  H.  Holtzman 


If  the  CIO  runs  security  CIO  bosses  prioritize  around 
uptime  numbers  and  bragging  rights  for  tight-as-a-drum 
networks.  To  them,  security  is  binary— it  is  secure  or  it  isn’t. 
This  mind-set  can  cause  CIOs  to  delay  reporting  potential 
problems  upward. 

If  the  COO  runs  security  COOs  are  concerned  about 
customer  issues  (read:  sales).  They  will  frequently  manage 
security  activity  using  existing  customer  relationship 
management,  or  CRM,  systems.  Instead  of  protecting  the 
company’s  larger  goals,  the  focus  is  on  closing  individual 
trouble  tickets. 

If  the  CFO  runs  security  CFOs  frequently  believe  that 


HAVE  TO  CONFESS  to  afascination  for  corporate  roadkill.  I  love  reading 
lurid  details  of  insider  naughtiness.  Between,  Enron,  Andersen  and  whatever  is 
currently  ripening  under  the  treads  of  WorldCom,  the  past  six  months  have  kept 
me  supplied  with  reading  material  for  a  long  time  to  come.  But  for  any  director 
of  a  public  company,  these  stories  should 
serve  as  a  chilling  wake-up  call  as  to  how 
much  sensitive  information  is  sitting  on 
corporate  networks  waiting  to  be  found. 

The  privacy  problem  cuts  two  ways  here. 

The  same  data  handling  sloppiness  that 
infuriates  customers  and  causes  unfavor¬ 
able  publicity  leaves  a  trail  of  digital  spoor 
behind  management  activities  that  even 
Inspector  Clousseau  could  follow. 

Don’t  get  me  wrong,  I  do  not  advocate 
that  you  whitewash  illegal  activities;  I’m 
just  wondering  why  the  heck  this  stuff  is 
sitting  around  for  someone  to  read.  I  sus¬ 
pect  the  reason  is  that  no  one  with  any  real 
authority  understands  the  kind  of  data  his 
company  keeps  or  what  the  exposure  might 
be  if  it  gets  out.  And  the  people  who  do 
understand  are  not  empowered  to  do  any¬ 
thing  about  it. 

Every  company  has  sensitive  informa¬ 
tion;  perfectly  legal  decisions  can  create 
havoc  if  discovered  in  a  civil  suit  or  exposed 
to  a  competitor.  But,  just  who  is  responsi¬ 
ble  for  being  responsible? 

The  technical  answer,  of  course,  is  that  the  board  of  directors  is  ultimately  and 
legally  responsible  for  the  actions  of  the  company.  But  how  does  the  board  know 
that  the  company  is  facing  this  kind  of  exposure  from  operational  issues? 

Someone  has  to  tell  them,  and  this  is  the  most  valuable  function  of  the  CSO. 
Unfortunately,  many  corporate  security  czars  are  too  low  on  the  organizational 
totem  pole  to  effectively  interact  with  the  board,  and  oblique  reporting  structures 
often  blunt  and  filter  those  messages  before  they  reach  the  board— or  even  suppress 
them  outright.  Here’s  how  it  goes: 


the  best  way  to  grow  a  company  is  to  cut  costs.  Guess  what 
happens  when  CFOs  get  their  hands  on  a  security 
organization.  They  evaluate  security  budgetary  issues  by 
scrutinizing  every  preventative  capital  expenditure  or  head 
count  increase. 

The  bottom  line  is  that  CSOs  must  have  unfettered 

access  to  the  board.  That  is 
the  only  way  directors  can  be 
certain  the  company  is  run 
honestly.  Public  companies 
have  audit  committees  at  the 
board  level  to  scrutinize  finan¬ 
cial  activity.  Why  not  use  a 
similar  concept  for  security 
issues? 

The  health  of  a  corporation 
is  more  dependent  on  thor¬ 
ough  and  knowledgeable 
preventative  measures  than 
on  stopping  sudden  hemor¬ 
rhaging  from  a  public  rela¬ 
tions  laceration.  Firing  the 
guilty  is  poor  compensation 
to  investors  for  an  eroded 
market  cap  that  may  never 
return.  Just  ask  investors  in 
Merrill  Lynch  or  Martha 
Stewart. 

Shareholders  must  hold 
directors  completely  account¬ 
able  for  what  happens  in  the 
company— that’s  what  directors  are  for.  Directors  must 
understand  their  security  and  ethical  exposure— that’s 
what  CSOs  are  for.  ■ 


David  H.  Holtzman,  former  CTO  of  Network  Solutions,  also  worked  as  a 
cryptographic  analyst  with  the  U.S.  Navy  and  an  intelligence  analyst  at 
DEFSMAC.  He  can  be  reached  at  dholtzverols.com.  Send  feedback  and 
column  ideas  to  dduffyVcxo.com. 


32  www.csoonline.com  September  2002 


ILLUSTRATION  BY  ALAIN  PILON 


Why  just  detect  intrusions  when  you  can  prevent  them? 
OKENA  StormWatch  stops  attacks  dead  in  their  tracks. 

Intrusion  Prevention:  Security  Without  Signatures. 


QKENA 


www.OKENA.com 


^  V  \  •>  JQf 

V  i  iV  'Z.  rtt.  '  .... 

n 

V 

■mam 


Exodus  CSO  Bill  Hancock 
stresses  communication 
over  confiscation. 


Cover  Story 


A 


NEW  CSO  BILL  HANCOCK  FOUND 

his  security  team’s  reputation  summarized,  symbolically,  in  the  contents  of  a 
locked  closet.  He  had  been  CSO  for  less  than  a  week  when  he  discovered  the  dirty 
little  secret.  A  routine  tour  of  the  security  facilities  at  Exodus  (now  the  U.S.  base 
of  Cable  &  Wireless)  in  Santa  Clara,  Calif.,  turned  up  the  closet.  When  Hancock 
opened  the  door,  he  saw  45  computers  stacked  high  in  a  haphazard  pile. 

“What  the  hell  is  all  this  stuff?”  he  asked.  Quite  matter-of-factly,  a  security 
staffer  informed  him  they  were  computers  that  had  been  hacked.  Struggling  to 
understand  how  that  had  led  to  this  leaning  tower  of  machines,  Hancock  asked, 

“Well,  who  do  they  belong  to?”  When  that  question  seemed  to  stump  the  staffer, 

the  magnitude  of  the  problem  began  to  dawn  on  Hancock.  Not  only  had  the  pre-  By  Daintry  Duffy 


THE  CSO’S  GUIDE  TO  STRATEGIC  SHMOOZING 


■  IN  THIS  STORY:  Successful 
communication  with  top  managers 
can  help  you  build  effective  execu¬ 
tive  partnerships. 


vious  CSO  impounded  computers  instead  of 
fixing  them,  the  security  team  didn’t  even 
know  where  the  computers  came  from  or 
whether  replacements  had  been  issued  to 
their  users.  The  message  this  sent  to  the 
rest  of  the  company  was  reminiscent  of  Jerry  Seinfeld’s  despotic  Soup  Nazi:  Been 
hacked?  No  computer  for  you! 

As  Hancock  discovered  at  Exodus,  the  top  security  role  in  many  companies  is 
in  desperate  need  of  a  reputation  makeover.  Nowhere  is  this  more  apparent  than 
in  the  relationships  between  CSOs  and  other  line-of-business  executives.  Though 
they  are  relative  newcomers  to  the  executive  lineup  (and  in  many  cases  are  still  wait¬ 
ing  to  get  in  the  game),  CSOs  will  achieve  success  based  on  the  strength  of  their 


PHOTO  BY  RANDALL  SCOTT 


peer  executive  relationships.  Why?  Because 
in  order  to  effectively  execute  security  pro¬ 
grams,  CSOs  will  depend  almost  entirely  on 
winning  access  to  and  cooperation  from  their 
fellow  executives. 

Naturally,  a  negative  image  can  get  in  the 
way.  “Security  tyrant”  is  just  one  of  the  unfor¬ 
tunate  sobriquets  CSOs  have  earned.  Business 
executives  complain  that  CSOs  kill  projects 
with  their  unreasonable  and  expensive  tech¬ 
nology  demands.  They  are  “techies”  who  make 
no  effort  to  understand  or  relate  to  the  busi¬ 
ness.  They  speak  in  a  foreign-sounding  lan¬ 
guage,  peppered  with  terms  like  buffer  overflow 
and  packet  filtering.  Their  duties  seem  to  con¬ 
sist  largely  of  getting  in  the  way  of  business 
rather  than  solving  its  problems.  When  the 
position  devolves  into  stereotypes,  the  CSO 
role  risks  becoming  marginalized.  Other  key 
executives  will  begin  to  engage  in  that  time- 
tested  business  strategy,  the  end  run. 

In  order  to  build  strong  partnerships,  says 
Hancock,  you  need  to  deflate  criticisms  and 

September  2002  www.csoonline.com  35 


Cover  Story  j  The  CSO  Role 


communicate  well  wi  th  other  top  executives. 
“If  you  can’t  explain  to  people  how  to  solve  a 
problem,  they’ll  never  come  back  to  you 
again,”  he  says.  “They’ll  do  everything  to  work 
around  you  rather  than  work  with  you.” 

We  talked  to  some  top  CSOs  to  glean  their 
best  practices  for  making  these  critical  exec¬ 
utive  partnerships  work. 

1 


0  N  '  T  JUST  SAY  NO 


AFTER  DISCOVERING  HIS  PREDECES- 

sor’s  punitive  approach  to  corporate  security, 
Hancock  realized  that  he  needed  to  rebuild 
the  image  of  the  Exodus  CSO  into  that  of  a 
kinder,  gentler  team  player.  His  first  step  was 
to  track  down  the  owners  of  those  45  confis¬ 
cated  computers.  Many  of  them  had  in  fact 
been  computerless.  Hancock  gave  the  com¬ 
puters  back,  got  them  cleaned  up,  loaded  them 
with  new  security  tools,  and  briefed  their  own¬ 
ers  on  how  to  keep  from  being  hacked  again. 
Says  Hancock,  “Pretty  soon  people  who  once 
had  fear  and  loathing  in  their  hearts  for  the 
security  guys  began  to  say,  These  are  really 
nice  people.  They’re  trying  to  help  me  be 
secure  and  will  explain  to  me  what’s  going 
on.”  Hancock’s  rule,  which  has  been  effective 
with  employees  and  executives  alike,  is  “Never 
tell  people  no.  Tell  them  how.”  That  helps  cre¬ 
ate  the  perception  that  security  is  an  ally 
rather  than  an  enemy. 

In  fact,  changing  perceptions  requires  that 
CSOs  curtail  all  kinds  of  negative  communi¬ 
cation  as  much  as  possible.  For  example, 
instead  of  waging  an  endless  battle  to  stamp 
out  employees’  bad  habits,  look  for  technology 
solutions  that  will  compensate  for  them.  In 
practice  that  means— instead  of  raking 
employees  over  the  coals  for  visiting  forbidden 
websites  or  losing  their  laptops— you  would 
deploy  embedded  technology  controls  that 
prevent  access  to  certain  kinds  of  websites  or 
that  automatically  encrypt  laptop  data.  “The 
tip  is  to  look  for  noninvasive  ways  to  imple¬ 
ment  security,”  says  James  Christiansen,  chief 
information  security  officer  for  General 
Motors.  “[Users]  don’t  even  realize  it’s  there, 
and  if  their  laptop  falls  outside  corporate 
hands,  we  know  it’s  protected.” 

CSOs  should  also  consider  exploiting  exec¬ 


utive  partnerships  as  a  way  to  off-load  some  of 
the  dirty  work  of  communicating  with  the 
company  about  security.  Why  not  harness 
HR’s  expertise  in  policy  creation  and  dissem¬ 
ination  to  push  new  security  policies  out  to 
employees?  Internal  audit  groups  can  like¬ 
wise  be  useful  partners  when  departments 
disregard  some  company  policy  and  need  to  be 
whipped  into  shape. 

Giving  your  business  partners  both  a  voice 
and  a  choice  in  security  decisions  is  another 
way  to  foster  strong  partnerships.  If  CSOs  talk 
in  the  lexicon  of  risk  and  reward,  and  provide 
an  analytical  basis  for  decision  making,  they 
can  actually  leave  final  decisions  to  the  busi¬ 
ness  owners  closest  to  the  issues.  This  creates 
buy-in  within  the  business  groups  because 
they  are  ultimately  making  decisions  rather 
than  being  dictated  to  by  an  outsider. 

At  Merrill  Lynch,  Chief  Information  Secu¬ 
rity  and  Privacy  Officer  David  Bauer  believes 
in  laying  out  the  options  for  a  business  team: 
the  security  risks,  the  possible  solutions  and 
the  benefits  or  drawbacks  of  each  choice.  “Too 
often,  security  groups  come  back  with  [only] 
one  answer,  and  people  wonder  if  you  ana¬ 
lyzed  at  all,”  he  says. 

That  said,  there  are  of  course  times  when  an 
outright  “no”  must  be  firmly  articulated. 
Anticipating  that  necessity,  CSOs  will  find 
that  that  word  commands  much  more  respect 
if  they  use  it  sparingly  rather  than  reflexively. 
Otherwise,  CSOs  who  constantly  shoot  down 
projects  as  a  menace  to  corporate  security  may 
not  be  taken  seriously  when  real  dangers  arise. 
It’s  a  balancing  act  that  Hancock  describes  as 
a  benevolent  dictatorship.  Things  run  much 
more  smoothly  if  other  people  take  an  active 
part  in  the  decision-making  process.  But  when 
a  serious  security  issue  puts  the  company  at 
risk,  the  CSO  has  to  step  up  and  make  the 
call. 

2 


KNOW  THY  BUSINESS 


WHEN  CHRISTIANSEN  CAME  TO  GM 

from  Visa,  where  he  was  also  head  of  security, 
he  found  the  transition  jolting.  “Walking  into 
a  manufacturing  corporation  from  financial 
services  was  like  being  the  13th  warrior,”  says 
Christiansen,  referring  to  the  1999  film  in 


Motorola  CISO  Bill  Boni 
chooses  his  words  carefully, 
preferring  to  call  his  area  of 
activity  “information  protec¬ 
tion”  rather  than  “IT  security.” 


which  Antonio  Banderas  plays  a 
cultured  Arab  forced  to  fight 
alongside  barbaric  Vikings  (while 
the  movie  was  a  flop,  it  might 
make  appropriate  viewing  for  any 
CSO  who’s  ever  felt  like  a  fish  out 
of  water  in  the  executive  pool). 

“You  speak  a  different  language, 
look  different  and  dress  differ¬ 
ent.”  So  Christiansen  did  two 
things:  He  signed  up  for  classes 
on  the  auto  industry,  and  he 
made  a  point  of  doing  a  lot  more 
listening  than  talking. 

In  learning  about  GM,  Chris¬ 
tiansen  had  to  glean  the  intrica¬ 
cies  of  four  very  different  business 
areas:  manufacturing,  GMAC 
(GM’s  financial  services  division), 

OnStar  (the  onboard  satellite  communica¬ 
tions  system)  and  the  defense  industry,  with 
which  GM  works  closely.  But  immersing  him¬ 
self  in  the  business  was  a  necessary  step  for 
Christiansen  to  be  able  to  communicate  with 
the  company’s  business  line  executives. 
“Everything  I  bring  them  is  cost  additive,  and 
that  can  create  a  natural  conflict,”  says  Chris¬ 
tiansen.  “I  need  to  be  able  to  show  the  bang  for 
the  buck,  the  ROI  per  dollar  and  how  I’m 
going  to  help  them  solve  business  problems.” 
None  of  that  can  be  achieved  without  a  keen 
understanding  of  the  business  and  the  recog¬ 
nition  that  the  CSO’s  role  is  to  enable  business 
success  in  an  appropriately  secure  context. 

To  combat  the  perception  that  security'  is 
divorced  from  the  business  world,  Bill  Boni, 
Motorola’s  chief  information  security  officer, 
has  even  gone  so  far  as  to  shun  the  usual 
moniker  “IT  security”  in  favor  of  the  more 
business-friendly  title  “information  protec¬ 
tion.”  The  goal  is  to  position  the  department 
as  the  protector  of  information  assets  in  all 
forms,  whether  it’s  customer  data  housed  in  a 
server  or  confidential  contracts  in  a  sheaf  of 
papers. 

Talking  in  business  terms  with  executives 


36  www.csoonline.com  September  2002 


you  can  draw  upon  to  discuss  threats,  current 
projects,  and  any  concerns  or  feedback  that 
business  units  may  have  about  security  usabil¬ 
ity.  These  individuals  can  also  act  as  the  CSO’s 
evangelists  throughout  the  enterprise,  spread¬ 
ing  the  word  about  new  policies  and  threats. 

3 


PRACTICE  YOUR  DELIVERY 


AS  ANYONE  WHO’S  EVER  BEEN  TO  A 

security  conference  knows,  speeches  about 
security  can  be  deadly  dull.  Faced  with  the 
challenge  of  having  to  communicate  about 
security  to  large  groups  both  inside  and  out¬ 
side  his  company,  Hancock  took  the  unusual 
step  of  enrolling  himself  in  a  stand-up  comedy 
course  to  improve  his  communication  skills. 
The  final  project  for  the  class  was  to  do  an 
actual  stand-up  routine  at  The  Improv,  New 
York  City’s  renowned  comedy  club,  on  a  Fri¬ 
day  night.  “It  was  one  of  the  most  horrifying 
experiences  I  think  I’ve  ever  been  through,” 
says  Hancock.  ‘You  get  up  in  front  of  an  audi¬ 
ence,  half  the  people  there  are  probably  ine¬ 
briated  in  some  fashion,  and  you’ve  got  to 


can  also  be  a  tremendous  asset  in  advancing 
the  CSO’s  agenda,  which  is  often  bogged  down 
by  the  perception  that  it’s  too  technical  for 
business  executives  to  understand  or  to  be 
bothered  with.  “I’ve  seen  too  many  information 
security  practitioners  fall  short  in  their  role 
because  what  they  really  love  is  the  technol¬ 
ogy,”  says  Boni.  “They  open  with  the  technol¬ 
ogy  dimension,  go  into  technical  detail,  and 
by  the  time  they  get  to  the  part  where  the  exec¬ 
utives’  insight,  experience  and  judgment  can  be 
engaged,  the  executives  are  already  disengaged. 
They  conclude  that  security  is  at  a  level  that’s 
inappropriate  for  their  consideration.” 

The  better  tack,  according  to  Boni,  consists 
of  four  key  elements:  Understand  the  busi¬ 
ness,  understand  what  makes  it  successful, 
identify  the  factors  that  can  put  that  success  at 
risk,  and  then  find  ways  of  managing  that  risk 
through  technical,  operational  or  procedural 
safeguards.  Use  that  knowledge  for  your  con¬ 
versations  with  business  executives. 

Working  with  business  executives  is  easier 
when  you  also  arm  yourself  with  knowledge  of 
the  initiatives  that  are  under  way  in  their  busi¬ 
ness  unit  and  the  challenges  each  executive 
faces.  It’s  helpful  to  have  a  network  of  sources 


communicate  what  you  have  to  say  very 
quickly,  very  succinctly  and  to  a  whole  bunch 
of  people  that  don’t  know  you  from  nobody.” 
The  lesson  here  is  not  that  CSOs  need  to  be 
honing  their  comic  routines,  but  rather  that 
life  is  full  of  tough  audiences.  When  dealing 
with  a  weighty  topic  like  security,  it’s  impor¬ 
tant  to  focus  on  how  you  communicate  as  well 
as  what  you  communicate. 

When  Hancock  joined  Exodus,  the  rela¬ 
tionship  between  security  and  finance  was 
rocky.  Finance  folks  viewed  themselves  as  the 
guardians  of  the  purse  and  Hancock’s  group  as 
upstarts.  Assiduously,  Hancock  started  get¬ 
ting  finance  involved  in  security  decisions  so 
that  they  could  learn  the  factors  on  which 
decisions  were  being  made  and  thus  under¬ 
stand  the  reasoning  behind  them.  It  was  a 
carefully  tailored  education  process  that  paid 
dividends  for  both  sides.  Later,  when  Han¬ 
cock  had  to  buy  800  firewalls,  the  finance 
department  negotiated  a  leasing  arrangement 
that  saved  his  group  a  lot  of  money. 

CSOs  looking  for  someone  with  whom  to 
commiserate  over  the  difficulty  of  getting  busi¬ 
ness  executives  to  pay  heed  to  seemingly 
arcane  policies  and  procedures  could  do  worse 
than  hoist  a  few  with  the  corporate  counsel. 
Kingsley  Wallman,  vice  president  and  associ¬ 
ate  general  counsel  with  Exodus,  notes  paral¬ 
lels  between  the  communication  challenges 
faced  by  the  CSO  and  those  facing  the  legal 
department.  Both  groups  are  perceived  as  hav¬ 
ing  been  built  around  highly  specialized  dis¬ 
ciplines  that  seem  distant  from  the  realities  of 
business.  And  both  call  for  the  ability  to  com¬ 
municate  and  interpret  their  fields  to  some¬ 
times  disinterested  executives. 

Wallman  suggests  that  because  CSOs  must 
often  communicate  about  conceptual  and 
highly  technical  topics,  they  should  make  an 
effort  to  relate  to  their  fellow  executives  in 
person.  “A  CSO— and  I  think  Bill  [Hancock] 
would  agree— is  often  better  served  to  pick  up 
the  telephone  instead  of  sending  an  e-mail, 
and  would  do  even  better  to  put  down  the 
handset  and  walk  down  the  corridor,”  he  says. 

And  it’s  not  enough  to  just  go  blabbing  hor¬ 
ror  stories.  What’s  needed  is  to  put  things  in 
context.  “It’s  translating  threats  into  the  risk 
to  business  and  communicating  that  you’re 
working  with  them,  not  against  them,  to  come 
up  with  solutions,”  says  Rick  Lacafta,  chief 


PHOTO  BY  JEFF  SCIORTINO 


September  2002  www.csoonline.com  37 


Cover  Story  |  The  CSO  Role 


information  security  officer  with  Travelers 
Insurance. 

Like  an  external  security  vendor,  the  CSO 
needs  to  market  his  group’s  sendees  across 
the  enterprise— a  skill  few  CSOs  have  mas¬ 
tered— to  get  the  message  out  about  what  it 
can  do  for  business  units.  Building  a  security 
plan  is  only  the  beginning.  The  CSO  must 
then  communicate  the  project  deliverables 
and  the  game  plan  to  the  rest  of  the  organi¬ 
zation,  and  educate  and  evangelize  about  the 
benefits  that  each  constituency  will  receive 
from  the  plan’s  implementation. 

When  talking  to  other  senior  executives 
about  security,  focus  the  message  on  their  par¬ 
ticular  areas  of  responsibility  and  accounta¬ 
bility.  Show  them  how  security  can  achieve 
one  of  their  objectives.  A  CSO  who  effectively 
communicates  his  role  to  the  enterprise  will 
no  longer  have  to  chase  down  resistant  proj¬ 
ect  leaders  and  executives.  Instead,  the  exec¬ 
utives  will  begin  to  seek  out  the  security  team 
and  value  its  contributions. 

4 


GETTING  TO  YES 


FREQUENTLY,  SECURITY  DECISIONS 

rest  upon  the  CSO’s  ability  not  only  to  com¬ 
municate  effectively  but  to  negotiate  well.  Risk 
management  is  an  imperfect  art,  and  security 
vulnerabilities  change  by  the  day.  Much  of 
the  CSO’s  time  is  spent  negotiating  toward 
solutions,  both  temporary  and  long-term,  for 
unexpected  vulnerabilities.  Christiansen 
points  out  that  the  key  to  doing  this  well  is  to 
first  reassure  internal  customers  that  your 
goal  is  to  find  a  “cost-effective  solution  to  the 
business  problem.”  Translation:  This  is  about 
solving  a  business  problem,  not  breaking  your 
budget  with  some  big-ticket  technology  toys. 
“Next,  as  in  any  negotiations,  understand  their 
point  of  view,  motivations  and  overall  objec¬ 
tives,”  says  Christiansen.  “More  often  than 
not,  given  equal  understanding,  a  way  to 
accomplish  both  goals  can  be  found.”  The  sales 
technique  of  creating  a  “win-win”  is  a  good 
goal  to  have,  but  if  the  security  issue  at  stake 
is  critical  enough,  CSOs  can’t  afford  to  settle 
for  dangerous  compromises  that  will  place 
the  company  at  risk. 

The  last  technique  for  effective  advocacy  is 


Executive  MVPs— 

SHMOOZE  ’EM  OR  LOSE  ’EM 

CULTIVATI NG  A  CREW  OF  most  valuable  partners  from  within  the  executive  ranks 
can  yield  important  benefits  for  CSOs:  valuable  insight  into  the  inner  workings  of  the 
company,  a  way  to  disseminate  and  validate  the  security  agenda,  and  the  leverage  to 
achieve  their  goal.  While  the  players  may  differ  slightly  depending  on  the  industry, 
here  is  the  roster  of  key  individuals  who  should  form  the  core  of  your  MVP  team. 


VP  of  Human  Resources  HR  is  a  critical 
partner  in  managing  employee  network 
access  (new  hires  and  terminations),  pol¬ 
icy  creation  and  dissemination,  and 
training.  HR’s  expertise  in  influencing 
employee  behavior  can  also  be  a  valu¬ 
able  resource.  As  a  bonus,  human 
resources  could  be  a  useful  case  study  in 
overcoming  a  bad  rap.  Like  the  security 
function,  HR  used  to  be  viewed  as  a  bad 
business  partner,  plagued  by  insularity 
and  detachment  from  the  business. 

VP  of  Finance  For  all  the  obvious  rea¬ 
sons,  it’s  wise  to  build  a  strong  relation¬ 
ship  with  the  people  who  hold  the  purse 
strings.  When  capital  expenditures  are 
required  for  security,  the  process  will  run 
more  smoothly  if  finance  executives 
solidly  understand  the  needs  behind  it. 

VP  of  Marketing/PR  Marketing  and  cor¬ 
porate  communications  are  the  com¬ 
pany's  face  to  the  marketplace.  When  a 
security  situation  arises,  marketing  and 
PR  are  critical  to  crafting  and  communi¬ 
cating  the  company’s  message  to  cus¬ 
tomers  and  business  partners. 

VP  of  Audit  The  relationship  between 
security  and  audit  can  be  tricky.  Both 
groups  share  the  goal  of  governing  stan¬ 
dards  and  policies  across  the  enterprise. 
The  similar  agendas  could  create  a  com¬ 
petitive  climate,  with  one  group  con¬ 
stantly  trying  to  trump  the  other. 
However,  a  strong  partnership  between 
the  groups  can  be  a  tremendous  asset  to 
the  CSO,  with  audit  acting  as  the 
enforcement  arm  of  the  security  group  as 
well  as  its  eyes  and  ears  into  the  different 
business  units. 

General  Counsel  A  number  of  issues  are 
converging  between  law  and  technology 
that  make  a  good  relationship  with  the 


general  counsel’s  office  important.  This 
group  is  a  valuable  partner  in  situations 
involving  privacy,  technology  misuse,' 
copyright  and  trademark  infringement  on 
the  Internet,  and  the  growing  nuisance  of 
spam.  The  general  counsel  can  also  be 
an  ally  in  drawing  up  airtight  contracts 
that  security  vendors  won’t  wiggle  out  of. 

Physical  Security  Manager  In  some 
companies  both  information  security  and 
physical  security  fall  under  the  purview 
of  the  CSO.  But  even  where  they  are  sep¬ 
arate  functions,  the  relationship  between 
the  two  is  key  to  establishing  an  overall 
level  of  corporate  security.  Many  of  the 
controls  that  govern  physical  security  are 
rooted  in  information  security  (access 
cards,  biometrics).  Physical  security  man¬ 
agers  also  play  a  central  role  in  creating  a 
secure  IT  environment  since  they  conduct 
background  checks  and  secure  physical 
access  to  those  precious  data  centers. 
(See  “Taming  the  Two-Headed  Beast,” 
Page  40.) 

Chief  Information  Officer  CIOs  and 
CSOs  can  have  conflicting  agendas,  even 
when  one  reports  to  the  other.  With  the 
CIO  focused  on  service  delivery  and  the 
CSO  proposing  measures  that  add  ex¬ 
pense  and  delay  to  those  services,  it  can 
be  hard  to  achieve  balance  between  the 
two  roles.  Consequently,  the  two  need  to 
have  a  close  working  relationship  so  that 
security  concerns  aren’t  swept  aside. 

Chief  Executive  Officer  Very  few  chief 
security  officers  have  the  ear  of  the  chief 
executive,  but  security  enlightenment 
must  somehow  be  fostered  at  the  top  of 
the  company.  Whether  CSOs  deliver  the 
message  themselves  or  enlist  another 
executive  as  their  proxy,  they  should  look 
for  opportunities  to  get  their  agenda  in 
front  of  the  CEO.  -D.D. 


38  www.csoonline.com  September  2002 


to  ensure  that  executives  and  other  employees 
can  easily  understand  security  policies  and 
procedures  in  written  as  well  as  verbal  form. 
At  Merrill  Lynch,  Bauer  requires  his  security 
staffers  not  only  to  think  like  businesspeople, 
but  also  to  communicate  like  businesspeople. 
He  instituted  a  rule  within  his  group  that  IT 
security  documents  be  brief,  be  free  of  dense 
technical  jargon,  and  read  like  crisp  execu¬ 
tive  summaries. 

5 


GOT  CLOUT? 


FEW  CSOS  GET  THEIR  MARCHING 

orders  directly  from  the  chief  executive.  More 
often  than  not,  they  report  to  the  CIO.  But 
regardless  of  reporting  structure,  CSOs  must 


make  sure  that  they  can  escalate  an  issue  to 
senior  management  if  the  situation  warrants. 
“Make  sure  you  have  authority,”  says  Mary 
Ann  Davidson,  CSO  for  software-maker  Ora¬ 
cle.  “Responsibility  without  authority  is  frus¬ 
tration.”  Whether  validation  comes  from  the 
CIO  or  CEO,  the  word  needs  to  circulate 
around  the  executive  suite  and  throughout 
the  company  that  the  CSO  role  is  important. 

There  will  be  times  when  other  executives— 
whether  innocently  or  not— try  an  end  run 
around  the  security  group  to  get  a  business 
goal  accomplished  in  the  fastest,  cheapest  way. 
CSOs  can  take  steps  to  thwart  such  attempts: 
The  first  is  to  institutionalize  a  policy  requir¬ 
ing  security  sign-off  in  the  design  phase  for  all 
projects  that  involve  a  major  change  to  infra¬ 
structure  or  an  application.  The  document 
should  list  all  the  alternative  mitigation  strate- 


James  Christiansen,  CISO  of  General 
Motors,  is  a  believer  in  noninvasive 
ways  to  implement  security.  The  goal 
should  be  that  users  don’t  even  realize 
it’s  there. 


gies  and  the  risks  to  the  business  of  not  imple¬ 
menting  the  stated  requirements.  The  busi¬ 
ness  unit  executive  can  sign  off  on  a  decision 
to  ignore  the  security  group’s  proposed  rem¬ 
edy  and  accept  the  risk.  That  is  the  approach 
GM  has  taken  under  Christiansen’s  direction. 
The  signed  documents  are  provided  to  the 
internal  audit  group,  which  can  step  in  and 
flex  its  regulatory  muscle  if  the  agreed-upon 
policy  is  in  any  way  violated. 

Exodus’s  Hancock  prefers  a  less-regi¬ 
mented  technique  that  he  calls  security  guilt. 
He  holds  a  meeting  with  the  responsible  par¬ 
ties  during  which  he  appeals  to  their  intellect 
and  ethics  and  explains  the  risks  of  not  includ¬ 
ing  security  in  the  initiative.  “Usually  people 
do  want  to  do  the  right  thing,  securitywise,”  he 
says.  It’s  just  that  they  “may  see  security  folks 
and  procedures  as  an  impediment  to  getting 
something  done.  I  try  to  work  out  the  issues  so 
that  they  feel  security  is  backing  the  project, 
not  trying  to  kill  it.” 

Building  and  maintaining  strong  relation¬ 
ships  with  business  executives  and  their 
groups  requires  the  CSO  to  assume  a  num¬ 
ber  of  different  guises:  educator,  strategist, 
negotiator,  interpreter  and,  sometimes,  disci¬ 
plinarian.  Oracle’s  Davidson  has  one  last 
morsel  of  advice  for  CSOs  interested  in  smooth¬ 
ing  their  way  with  other  executives  and  the 
company  at  large.  “People  ought  to  be  thanked 
for  doing  their  job  more  often,”  she  says,  noting 
that  CSOs  will  find  more  cooperation  if  they  ask 
for  it  politely  and  show  their  appreciation 
instead  of  barking  out  orders  and  throwing 
their  weight  around.  “Business  is  personal,” 
Davidson  says.  “It’s  not  being  manipulative,  it’s 
just  that  you  catch  more  flies  with  honey.”  ■ 

Senior  Editor  Daintry  Duffy  can  be  reached  at  dduffy  ?  cxo.com. 


Security  officers  want  business  visibility,  but 
will  CIOs  let  them  have  it?  Read  Senior  VVriter 
Sarah  D.  Scalet's  ALARMED  column,  "Ajnofher 
Chair  at  the  Table  for  the  CSO.”  Go  to 

www.csoonline.com/printlinks. 


PHOTO  BY  JEFF  SCIORTINO 


September  2002  www.csoonline.com  39 


The  worlds  of  IT  and  physical  security 
are  colliding.  Here’s  what  to  do  about  it. 

By  Simone  Kaplan 


TWO  YEARS  AGO,  IF  YOU  WERE  THE  HEAD  OF 
security  for  an  organization,  it  meant  one  of  two 
things.  Either  you  were  trying  to  prevent  people  with 
guns  from  walking  through  the  front  door,  or  you 
were  watching  your  computer  networks  like  a  hawk, 
maintaining  firewalls  and  patching  software  to  ward 
off  hackers.  If  you  were  in  charge  of  the  physical  side, 
you  were  barely  aware  of  the  network  security  side. 
Let’s  face  it,  security  guards  weren’t  trained  to  install 
antivirus  software,  and  the  IS  guys  didn’t  know  much 
more  about  controlling  building  access. 

Well,  the  wall  that  separates  physical  and  informa¬ 
tion  security  is  crumbling— fast.  At 
corporations  and  government  agen¬ 
cies  nationwide,  security’  leaders  are 
abandoning  the  fragmented,  com¬ 
partmentalized  approach  of  the  past 
and  creating  a  unified,  coordinated 
program  of  protecting  buildings, 


people  and  networks.  Executive-level  security  posi¬ 
tions  are  popping  up  with  increasing  frequency  as 
oversight  of  both  IT  and  physical  security  is  merging 
into  one  discipline.  And  for  good  reason:  Many  com¬ 
panies  can  improve  the  efficiency  and  effectiveness  of 
their  security  strategy  by  combining  the  two  sides. 
They  can  also  save  money  by  eliminating  redundancy 
in  resources  and  budget  requirements.  There’s  no  need 
to  spend  thousands  of  dollars  to  set  up  a  smart  card 
building  access  system  if  your  IT  group  already  has  the 
wiring  and  bandwidth  in  place  for  another  project. 

But  security  involves  much  more  than  just  guarded 
gates  and  enciypted  networks.  Pri¬ 
vacy,  risk  management,  financial  and 
health-care  issues,  policy  creation 
and  enforcement,  and  investigations 
all  fall  under  the  rubric  of  security. 
Bringing  those  issues  under  one  roof 
requires  strategic  planning,  commu- 


I  IN  THIS  STORY:  Reasons 
for  combining  physical  and  info 
security  ■  Results  from  com¬ 
panies  that  have  done  it  ■  Tips 
for  handling  common  budgetary 
and  political  challenges 


40  www.csoonline.com  September  2002 


ILLUSTRATION  BY  JONATHAN  BARKAT 


IT  and  Physical  Security 


A 


nyone 


with  a  pair  of  nail  clippers 


nication  and  good  management  skills.  That 
means  making  sense  of  responsibilities,  says 
Chris  Christiansen,  an  analyst  with  IDC  (a  sis¬ 
ter  company  to  CSO’s  publisher). 

“The  people  who  own  the  gates,  guns  and 
guards  are  often  totally  independent  of  the  IT 
people,”  Christiansen  says.  “But  you  have  to 
know  who  was  in  the  building,  where  they 
went,  and  what  parts  of  the  IT  system  they 
might  have  accessed.  You  need  some  reconcil¬ 
iation  between  the  two  for  both  to  be  stronger.” 

Creating  a  consolidated  approach  means 
policies,  procedures  and  implementation  are 
consistent.  So  today’s  CSO  needs  to  find  ways 
to  integrate  law  enforcement  and  network 
protection,  e-mail  and  electric  fences.  For 
some  companies,  appointing  a  CSO  to  oversee 
the  merging  of  physical  and  IT  security  is  a 
first  step  toward  creating  a  safer  environment. 

THE  INSIDE  SCOOP 

utting  a  company’s  entire  range  of  secu¬ 
rity  operations  under  one  roof  is  a  trend 
that’s  gaining  momentum  in  both  the  pri¬ 
vate  and  public  sectors,  but  it’s  not  by  any 
means  a  new  phenomenon.  Like  all  things 
security,  the  trend  toward  merging  the  worlds 
of  physical  and  IT  security  is  getting  lots  of 
attention  since  Sept.  11— the  call  for  unified 
oversight  is  currently  the  preoccupation  in 
Washington,  on  the  heels  of  reports  that  the 
FBI  and  CIA  dropped  the  ball  in  coordinating 
investigative  efforts— but  some  have  been 
doing  it,  or  at  least  thought  about  doing  it, 
years  before  security  became  the  nation’s 
number-one  priority. 

In  fact,  some  see  merging  the  two  as  a  nat¬ 
ural  evolution  of  business  practices.  “We  went 
from  writing  with  pencil  and  paper  to  using  a 
typewriter  to  the  computer,”  points  out  Marty 
Lindner,  team  leader  of  incident  handling  at 
CERT  Coordination  Center.  “Saying  the  phys¬ 
ical  [security]  and  IT  are  merging  is  like  saying 
the  typewriter  and  cyberworlds  are  merging. 
It’s  not  an  earthshaking  change  in  security 
policy.  It’s  a  natural  evolution  toward  learning 


howto  use  computers  in  areas  where  they  were 
never  used  before,  like  tracking  who’s  coming 
in  and  out  of  a  building.” 

The  move  to  combine  the  physical  and 
information  sides  of  security  can  be  chalked  up 
to  three  primary  factors.  First,  technology 
began  encroaching  on  what  had  traditionally 
been  the  territory  of  physical  security.  Second, 
bad  economic  conditions  forced  companies  to 
scrutinize  and  improve  their  business  pro¬ 
cesses.  And  third,  security  threats  evolved  from 
random  instances  to  well-planned  incursions 
on  network  and  building  security.  Companies 
have  become  more  computer-  and  Internet- 
dependent,  and  thieves  and  hackers  have 
become  more  cunning.  During  the  past  five 
years,  intellectual  property  and  identity  and 
credit  card  theft  have  stopped  corporations 
and  government  agencies  in  their  tracks.  And 
internally,  disgruntled  employees  have  thrown 
computer  networks  for  a  loop. 

“Security  is  security,  whether  it’s  in  the 
physical  or  IT  realm,”  says  Bob  Fox,  vice  pres¬ 
ident  and  CSO  of  Sprint  corporate  security. 
When  Fox  became  CSO  six  years  ago,  Sprint’s 
internal  audit  group  members  were  fed  up 
with  the  lack  of  attention  that  their  security 
audits  garnered  from  the  senior  executives, 
so  they  hired  a  major  consulting  firm  to  eval¬ 
uate  the  company’s  information  security. 
Their  gambit  worked.  The  consultant’s  report 
revealed  exactly  what  the  internal  auditors 
had  noted  for  years:  Sprint’s  seven  independ¬ 
ent  security  organizations  had  developed  dis¬ 
parate  procedures  and  policies,  were  buying 
redundant,  noncompatible  equipment,  and 
were  spending  large  amounts  of  money  on 
functions  that  could  easily  be  consolidated. 
The  report  also  uncovered  holes  in  Sprint’s 
security  coverage.  Essentially,  the  seven  secu¬ 
rity  groups  didn’t  collaborate,  and  as  a  result, 
there  were  tasks  that  no  one  did  because  they 
assumed  another  group  had  it  covered. 

“The  executive  management  team  decided 
to  consolidate  all  security  into  one  organization 
with  one  leader  who  could  look  out  for  the 


entire  corporation,”  Fox  says.  Managing  the 
merge  was  one  of  the  first  things  Fox  did  as 
CSO.  The  executive  management’s  mandate 
created  a  strong  team  bond  and  cleared  up  all 
possible  turf  issues,  Fox  says.  Merging  depart¬ 
ments  also  simplified  the  budget  process  at 
Sprint.  Fox  oversees  a  single  corporate  security 
budget,  which  is  doled  out  by  group  to  each  of 
his  internal  security  departments. 

“When  we  do  a  security  assessment,  we 
start  with  the  physical  and  go  through  all  ele¬ 
ments  into  the  technical  security,”  he  says. 
“Both  sides  are  learning  more  about  each 
other,  and  I  have  employees  who  have  asked 
to  be  moved  into  different  parts  of  the  security 
organization  so  that  they  can  improve  their 
technical  or  traditional  skills.” 

Developing  dexterity  in  both  the  physical 
and  IT  arenas  is  increasingly  important  as 
traditional  physical  security  practices  become 
more  reliant  on  digital  tools.  Name  tags  and 
guest  books  have  been  replaced  by  smart  cards 
that  allow  cardholders  access  to  buildings  and 
computer  networks. 

Business  and  security  leaders  now  see  that 
networks  can  be  successfully  secured,  but  if 
someone  can  physically  get  into  the  building 
and  do  something  as  simple  as  pull  out  a 
power  cord,  networks  and  businesses  will 
remain  vulnerable.  Reliance  on  IT  security 
alone  is  no  longer  sufficient  for  protecting 
networks,  says  Richard  Maurer,  senior  direc¬ 
tor  for  the  physical  security  group  at  Kroll,  a 
security  and  protection  services  company  in 
New  York  City,  and  member  of  the  physical 
security  council  of  ASIS  International  (for¬ 
merly  known  as  the  American  Society  for 
Industrial  Security).  Strengthening  physical 
security  is  vital  to  securing  a  company1  s  assets. 

Maurer  tells  the  story  of  visiting  a  dotcom  to 
do  a  security  assessment.  The  company’s  own¬ 
ers  bragged  endlessly  about  how  secure  their 
network  and  phone  room  was,  but  they’d  never 
looked  beyond  the  confines  of  their  office.  “We 
said,  ‘Follow  us,’  went  down  the  elevator  to  the 
ground  floor,  poked  around  a  bit  and  found  an 


42  www  csoonline.com  September  2002 


could  have  taken  their  network  out 


-RICHARD  MAURER,  SENIOR  DIRECTOR  OF  PHYSICAL  SECURITY  GROUP,  KROLL 


unlocked  door  that  led  to  a  room  containing 
every  phone  line  in  the  building,”  he  says.  “Any¬ 
one  with  a  pair  of  nail  clippers  could  have 
taken  their  network  out.” 

BLENDING  BUDGETS 

erging  the  tools  of  the  trade  has  made 
responsibility  and  oversight  more 
complicated  as  security  and  IT  leaders 
are  forced  to  ask  who’s  in  charge  of  what.  But 
budgeting  for  consolidated  security  operations 
can  actually  make  your  relationship  with  the 
CEO  and  CFO  stronger  while  keeping  more 
money  in  your  department’s  pockets.  “The  sell¬ 
ing  point  for  creating  a  single  security  office  is 
the  cost  savings,”  says  Eduard  Telders,  security 
manager  at  Pemco  Financial  Services,  a 
Seattle-based  group  of  independently  owned 
insurance  companies.  Security  is  a  cost  center, 
and  the  value  of  preventing  a  possible  attack  is 
difficult  to  quantify  in  terms  of  revenue.  Con¬ 
sequently,  the  security  budget  is  an  easy  target 
when  budgets  are  tight.  “You  save  by  creating 
a  single  department  out  of  multiple  depart¬ 
ments,  which  eats  up  much  less  money,” 
Telders  says.  “Having  a  single  security  budget 
helps  protect  you  from  cost-cutting  measures.” 

While  doing  security  assessments  for  Kroll, 
Maurer  consulted  with  several  Fortune  100 
companies  that  were  about  to  purchase  new 
fiber  cable  and  data  storage  for  IP-based  sur¬ 
veillance  cameras.  Maurer  recommended  ask¬ 
ing  their  IT  departments  if  they  had  extra  cable 
on  hand  and  available  space  on  their  network. 
They  did,  and  that  coordination  alone  saved 
the  companies  tens  of  thousands  of  dollars. 

“The  two  groups  simply  have  to  talk  to  each 
other,”  he  says.  “That’s  where  having  a  manager 
who  oversees  them  both  is  beneficial.” 

A  consolidated  security  force  also  enables 
the  CSO  to  create  a  unified  approach  to  threats 
via  coordinated  plans  and  processes.  Consider 
tenninations,  for  example.  If  an  employee  quits 
or  is  fired,  does  your  company  have  a  coordi¬ 
nated  process  in  place  to  block  his  electronic 
access  to  the  building  and  shut  off  his  e-mail? 


“If  I  wanted  to  steal  something  like  the 
designs  for  a  new  product,  I  could  try  to  hack 
into  the  back-office  research,”  says  Steve  Hunt, 
a  research  analyst  with  Giga  Information 
Group.  “Or  I  could  call  someone  in  R&D  and 
use  social  engineering  to  see  if  they'll  give  them 
to  me.  I  could  even  walk  through  the  front 
door  and  impersonate  a  contractor  or  an 
employee  to  gain  access  to  the  information,”  he 
adds.  “These  days,  the  threats  are  intertwined. 
The  physical  and  IT  [security]  guys  have  to  be 
operating  on  a  coordinated  response  plan 
where  everyone  is  on  the  same  page.” 

GEEKS  AND  COPS 

Despite  the  weight  of  opinion  in  favor  of 
merging  the  two  disciplines,  getting 
people  from  both  sides  of  the  track  to 
work  together  is,  of  course,  no  easy  task.  Find¬ 
ing  and  training  qualified  personnel,  est¬ 
ablishing  new  reporting  structures  and 
overcoming  turf  wars  among  traditionally 
independent  departments  are  just  a  few  of 
the  challenges  of  bringing  disparate  security 
organizations  together. 

Foremost  is  the  issue  of  experience.  Secu¬ 
rity  personnel  tend  to  come  up  through  the 
ranks  in  very  different  ways.  On  the  physical 
side,  many  are  former  cops,  FBI  agents  or 
Secret  Service  agents.  Most  IT  security  staff 
have  come  up  the  IT  ladder.  The  two  disci¬ 
plines  require  vastly  different  skill  sets— your 
average  IT  executive  probably  doesn’t  know 
how  to  take  down  someone  waving  a  gun,  and 
not  many  ex-cops  can  configure  a  firewall. 
“Combining  these  skills  is  optimal  for  a  CSO 
but  is  veiy  rare,”  says  Hunt. 

CSOs  with  a  background  in  one  specialty 
and  not  the  other  will  gravitate  to  where  their 
strength  lies  and  solve  problems  using  what 
they  know— not  necessarily  the  best  approach 
in  every  situation.  That  is  one  of  the  draw¬ 
backs  to  merging  physical  and  IT  security.  In 
other  words,  “if  they  know  how  to  use  a  sledge¬ 
hammer,  then  eveiy  [problem]  is  fixed  with  a 
sledgehammer,”  says  Ron  Baklarz,  CISO  of 


the  American  Red  Cross  in  Arlington,  Va. 

Some  CSOs  are  responding  to  the  challenge 
by  getting  certified  in  whichever  specialty  they 
know  least.  Telders  started  out  modeling  com¬ 
puter  systems,  became  a  CISSP  (certification 
for  the  information  systems  security  profes¬ 
sional)  and  in  order  to  get  a  better  grasp  on  the 
physical  security  side  of  his  job,  got  a  certified 
protection  professional,  or  CPP,  certification 
from  ASIS  International.  Baklarz  also  came 
up  through  the  IT  ranks,  became  a  CISSP  and 
is  in  the  process  of  getting  a  CPP.  “That  way  Ill 
have  a  better  appreciation  of  what  the  physi¬ 
cal  side  entails,”  he  says.  Although  he  doesn’t 
see  many  of  his  peers  getting  certified  in 
physical  protection,  Baklarz  thinks  doing  so 
will  make  executives  more  marketable.  “It’s 
also  a  good  idea  for  physical  security  experts 
to  get  certified  in  infosec,”  he  says,  “but  the 
learning  curve  is  sharper  and  the  process  wall 
take  longer.” 

To  be  a  CISSP,  you  have  to  work  in  the 
infosec  field  for  a  minimum  of  three  years. 
There’s  no  such  requirement  to  get  a  CPP  cer¬ 
tification.  “I  would  never  line  up  my  knowl¬ 
edge  of  physical  security  against  experts  in 
the  field— it’s  more  difficult  to  learn  than  a 
lot  of  people  think— but  picking  up  the  IT  end 
is  more  technically  complex  and  it  takes  a  few 
years  to  get  up  to  speed,”  says  Baklarz.  He 
points  out  that  Howard  Schmidt,  vice  chair  of 
President  Bush’s  Critical  Infrastructure  Pro¬ 
tection  Board  under  Chairman  Richard  Clarke 
(see  our  interview  with  Clarke  and  Schmidt, 
Page  50),  started  his  career  in  law  enforce¬ 
ment  and  successfully  migrated  to  informa¬ 
tion  security. 

Fox  has  put  in  time  on  both  sides  of  the 
track  and  oversees  Sprint’s  entire  security 
operation.  He  earned  a  bachelor’s  and  mas¬ 
ter’s  from  Michigan  State  in  criminal  justice 
with  a  concentration  in  security  administra¬ 
tion  and  spent  several  years  as  a  police  detec¬ 
tive  in  Michigan.  He  doesn’t  have  a  CISSP, 
but  he  has  40  technical  employees  wrho  do. 

The  disparity  among  skill  sets  also  creates 


September  2002  www.csoonline.com  43 


IT  and  Physical  Security 


SECURITY  CONSOLIDATION 

Pros  Cons 


a  conundrum  when  it  comes  to  reporting  rela¬ 
tionships.  There  seem  to  be  as  many  varia¬ 
tions  on  the  reporting  structure  as  there  are 
hackers  in  high  school.  Fox  reports  directly 
to  Sprint’s  executive  vice  president  and  general 
counsel,  and  he  has  six  technical  directors 
who  report  to  him  and  are  responsible  for 
physical  security,  network  security  sen-ices, 
network  security  engineering,  data  security 
operations,  investigations  and  IS  security. 

“If  you  have  seven  security  people  reporting 
to  seven  different  parts  of  the  company,  there 
are  too  many  weak  links.  It  opens  up  the  organ¬ 
ization  to  attack,”  Fox  says.  “If  something  hap¬ 
pens,  people  in  the  company  won’t  know  who 
to  call  and  so  they  don’t  call  anyone.” 

CSOs  don't  have  to  be  an  expert  in  every 
aspect  of  security;  they  simply  need  to  be  good 
managers,  says  Kroll’s  Maurer.  As  long  as  they 
have  direct  reports  with  expertise  in  physical 
and  IT  security,  he  says,  they  can  rely  on  their 
own  good  judgment  and  business  sense. 

An  added  challenge  to  security  consolida¬ 
tion  are  potential  turf  wars.  When  staff  mem¬ 
bers  who  are  entrenched  in  their  own  world 
are  forced  to  work  closely  with  an  unknown 
discipline,  things  can  get  tense,  Telders  says. 
“When  departments  are  separated,  too  often 
you  have  people  whose  jobs  are  very  similar— 
to  protect  the  company.  They’ll  compete  for 
the  same  resources,  such  as  staff  and  equip¬ 
ment  and  budget,  and  it’s  very  disorganized,” 
he  says.  But  when  Telders  was  hired  in  1991, 
he  restructured  Pemco’s  security  so  that  IT 
and  physical  security  reported  to  him.  During 
the  process,  territorial  tendencies  emerged, 
primarily  in  the  IT  staff,  Telders  recalls. 

‘There  were  questions  in  the  IT  department 
about  who  was  in  charge  of  security,”  he  says. 
"They  didn’t  understand  why  non-IT  people 
were  involved  in  security,  which  they  saw  as 
their  domain.  They  weren’t  trying  to  stake  a 
claim,  but  they  had  a  mind-set  that  got  in  the 
way.”  However,  once  they  understood  that  the 
new  system  was  a  partnership  that  would  ben¬ 
efit  them  and  the  company,  it  was  no  longer  an 
issue,  Telders  says.  Training  employees  in  both 
specialties  is  essential  to  making  a  merged 
organization  work,  he  says.  “You  can  do  the 
work  more  efficiently,  with  one  set  of  people 
trained  in  all  areas  so  they  can  step  into  any  role 
when  needed.” 


■  Provides  better  protection  with  one 
coordinated  threat  response  plan 

■  Saves  money  by  eliminating  redundant 
functions 

■  Gets  an  integrated  view  of  your 
security  landscape 

■  Improves  security  effectiveness  by 
looking  at  both  IT  and  physical  angles 

CULTURE  COUNTS 

here  are  those  who  think  putting 
everything  together  under  one  roof  is 
unnecessary— even  inappropriate. 
Physical  and  IT  security  organizations  defi¬ 
nitely  need  to  communicate  and  cooperate, 
but  merging  the  two  isn’t  the  answer,  says 
Roberta  Witty,  a  research  director  in  security 
and  privacy  with  Gartner.  “The  skill  sets 
involved  are  so  different.  A  person  trained  in 
physical  security  doesn’t  think  the  same  way 
that  an  IT  person  trained  in  infosec  does,  and 
vice  versa.  They  don’t  know  how  to  think  along 
those  lines.  It’s  a  cultural  difference.” 

Witty’s  argument  is  shared  by  some  practi¬ 
tioners  in  the  field.  Pulling  security  personnel 
from  multiple  departments  is  counterpro¬ 
ductive,  says  Maiy  Ann  Davidson,  CSO  of  ser¬ 
ver  platform  technology  at  Oracle.  “If  you  rip 
people  out  of  their  native  departments,  you 
take  them  away  from  what  they  do  best.  It’s 
very  ineffective.”  Besides,  unless  everyone  in 
your  organization  understands  their  respon¬ 
sibilities  for  protecting  the  company— whether 
it’s  updating  virus  definitions  or  preventing 
strangers  from  coming  into  the  building— it 
doesn’t  matter  what  kind  of  unified  security 
force  you  put  together.  It  won’t  work.” 

Davidson  sits  on  Oracle’s  product  and  cor¬ 
porate  security  steering  committees  with  rep¬ 
resentatives  from  other  departments.  She  has 
lunch  every  six  weeks  with  the  head  of  facili¬ 
ties,  who  handles  physical  security,  but  oth¬ 
erwise  she  sees  no  need  for  further  integration. 
The  corporate  security  committee  provides  a 


■  Doesn’t  make  sense  for  every  company 

■  Requires  a  mix  of  both  physical  and 
IT  skill  sets 

■  Complicates  the  reporting  structure 

■  Moves  security  employees  outside 
their  regular  environment  and  reduces 
their  efficiency 


forum  for  all  departments  to  contribute  to 
policy  creation,  she  says,  and  that  collabora¬ 
tion  covers  all  the  bases. 

The  benefits  of  bringing  physical  and  IT 
security  under  one  umbrella  are  industry- 
specific,  Witty  says.  It  makes  more  sense  for 
companies  in  industries  with  a  strong  health 
and  safety  focus,  such  as  manufacturing  or 
chemical  production,  she  says.  It  also  works 
better  for  companies  whose  physical  delivery 
system  for  products  could  be  easily  disrupted, 
such  as  oil  distribution.  The  physical  and  IT 
security  leaders  should  communicate  regu¬ 
larly,  she  says,  but  unless  there’s  a  real  need, 
they  don’t  necessarily  need  to  be  merged  into 
one  department  or  report  to  the  same  person. 

But  to  Fox,  security  consolidation  has  made 
his  life  and  the  lives  of  Sprint’s  senior  execu¬ 
tives  a  lot  easier  by  consolidating  functions 
and  allowing  them  to  get  a  clear  picture  of 
the  company’s  security  status  and  its  vulner¬ 
ability  levels.  It  also  helps  them  do  better  busi¬ 
ness,  he  says.  “Companies  want  to  work  wdth 
us  more  because  they  know  we  protect  people 
and  information  in  the  most  thorough  man¬ 
ner,”  Fox  says.  “That’s  a  very  important  thing 
to  anyone  who  does  business  these  days.”  ■ 

E-mail  Staff  Writer  Simone  Kaplan  at  skaplan@cxo.com. 


For  more  on  combining  IT  and  physical 
security,  read  THE  NEED  FOR  A  CSO  HAS 
ARRIVED,  a  CSOonline  analyst  report 
from  Giga  Information  Group.  Go  to 

www.csoonline.com/printlinks. 


44  www.csoonline.com  September  2002 


Cisco  Systems 


Integrating  Security  Into  the  Network 

The  New  Strategy  for  Defending  Your  E-business 

What  is  the  risk  of  poor  network  security  to  your  business?  An  average  of  nearly 
US  $2  million  per  year,  as  reported  by  respondents  to  a  recent  2002  survey  by 
the  U.  S.  Federal  Bureau  of  Investigation  (FBI).  Threats  to  network  Security  are 
a  continuous  and  complex  challenge  for  your  enterprise.  These  threats  will 
continue  to  grow — and  new  threats  will  emerge — as  your  networks  become 
more  open,  extend  to  more  locations,  enable  more  applications,  and  support 
new  technologies  such  as  mobility  and  IP  telephony. 


The  changing  demands  on  network  security  can  already  be  seen 
in  the  rising  number  of  computer  breaches.  In  the  CSI/FBI’s  2002 
Computer  Crime  and  Security  Survey,  90  percent  of  respondents 
(primarily  large  corporations  and  government  agencies)  detected 
computer  breaches  within  twelve  months,  with  80  percent 
acknowledging  financial  losses  due  to  these  breaches. 

While  still  a  critical  part  of  an  overall  security  solution,  firewalls 
and  other  standalone  network  security  products  are  no  longer 
adequate  for  protecting  your  network  from  internal  and  external 
attacks.  Both  network  and  security  professionals  are  discovering 
that  today’s  networks  need  a  new,  comprehensive  approach  to 
security,  one  in  which  multiple  security  components  overlap  each 
other  in  a  flexible,  layered  solution. 

Cisco  Systems  is  leading  the  industry  by  delivering  the  first  solutions 
for  comprehensive  network  security:  a  set  of  five  new  modules 
that  will  integrate  essential  security  functions  on  the  Cisco 
Catalyst  6500  Series  of  multilayer  switches.  Individual  modules 
provide  up  to  gigabit  performance  for  firewall,  intrusion  detection, 
secure  sockets  layer  (SSL)  processing,  network  analysis  manage¬ 
ment,  and  virtual  private  network  (VPN)  capabilities.  These 
modules  add  to  the  services  for  increased  business  resilience  and 
availability  brought  to  Catalyst  switches  by  the  existing  Content 


Switching  Module  (CSM).  By  supporting  a  comprehensive  choice 
of  security  functions,  the  Cisco  Catalyst  6500  Series  modules 
enable  the  modular,  flexible  deployment  of  scalable  security  nec¬ 
essary  to  your  vital  networks,  applications,  and  business  operations. 

Why  Embedded,  Integrated  Security? 

There  are  many  sound  reasons  to  adopt  an  integrated  design  for 
network  security,  including: 

•  The  continuing  variety  and  volume  of  network  threats,  which 
can  only  be  addressed  by  a  “defense-in-depth”  strategy,  sup¬ 
ported  by  multiple  and  cohesive  security  components. 

•  Yesterday’s  security  products  were  designed  for  dedicated  enter¬ 
prise  networks  with  a  limited  number  of  connections  to  other 
networks.  Today’s  interconnected  networks  have  hundreds,  and 
sometimes  thousands  of  interconnections  to  other  networks — 
requiring  security  products  that  can  support  an  architecture  for 
many  different  network  designs. 

•  As  networks  continue  to  grow  and  change,  the  security  design 
must  keep  pace — transparently — while  enabling  your  network 
to  continually  deliver  the  required  scalability  and  performance. 

•  Integrated  security  supports  the  smooth  functioning  of  your 
entire  e-business  infrastructure,  assuring  that  security  functions 
do  not  become  a  hindrance  to  sales  and  other  online  activity. 


1 


About  the  Cisco  Catalyst  6500  Series  Switches 

Cisco  Catalyst  6500  Series  Switches  deliver  highly  available, 
secure,  and  converged  network  services  for  enterprise  and 
service  provider  networks.  These  switches  support  gigabit 
scalability,  high  availability,  rich  services,  and  multilayer 
switching  in  backbone,  distribution,  and  wiring  closet 
topologies  as  well  as  data  center  environments.  The 
Catalyst  6500  Series  also  offers  exceptional  scalability  and 
value  by  supporting  a  wide  range  of  interface  densities, 
performance,  and  integration  of  powerful  services  modules. 

By  combining  superior  control-plane  and  packet-forwarding 
scalability  with  a  rich  set  of  intelligent  services,  the  Catalyst 
6500  Series  gives  enterprises  a  foundation  for  converged 
voice/video/data  networks  and  e-commerce  services. 


•  Network  operations  and  management  are  simpler  with  inte¬ 
grated  security,  with  the  associated  benefits  of  lower  costs. 

•  A  comprehensive,  embedded,  and  integrated  security  design  is 
more  compatible  with  initiatives  for  new,  interconnected  net¬ 
work  technologies  such  as  VPNs,  wireless,  and  IP  telephony. 

True  integration  means  more  than  simple  interoperability  among 
security  components;  pervasive  network  security  requires  a 
comprehensive  design.  The  SAFE  Blueprint  from  Cisco  gives 
businesses  of  all  sizes  a  comprehensive  set  of  best  practices  for 
creating  a  secure,  defense-in-depth  network.  The  integrated 


security  modules  for  Cisco  Catalyst  6500  Series  switches  are 
based  on  the  SAFE  Blueprint,  assuring  a  good  fit  into  your  overall 
network  architecture  and  security  strategy. 

Where  is  the  logical  point  for  integrating  security  capabilities?  In 
the  network  infrastructure.  The  campus  switch  enables  several 
advantages  because  of  its  key  role  in  the  network  infrastructure. 
These  advantages  include: 

•  Higher  performance  of  security  functions  without  any 
degradation  of  switch  performance 

•  Increased  network  flexibility,  scalability,  and  availability 

•  Protection  of  the  network  core  because  the  Cisco  Catalyst  6500 
Series  switches  become  self-protecting 

•  Reduced  overall  cost  of  network  ownership,  through  the  ability 
to  leverage  existing  network  resources 

•  Seamless  converged  networks  with  security  for  all  network  services 

•  Increased  collaboration  among  networking  and  security  opera¬ 
tions,  a  critical  requirement  for  defense  against  today’s  increas¬ 
ingly  sophisticated  attacks 

Integrating  Security  with  Cisco  Catalyst  6500 
Series  Switches 

The  Catalyst  6500  Series  security  modules  will  support  two 
configurations: 

•  Multiple  security  functions  on  a  single  switch,  through  the 
installation  of  the  appropriate  modules. 

•  Dedicated  and  enhanced  processing  of  a  single  security 
function,  such  as  intrusion  detection,  through  installation  of 
multiple  modules  of  the  same  type  in  a  single  switch. 


Cisco  Catalyst  6500  Series 

Services  Modules 

Description 

Firewall  Services  Module 

Implements  firewall  protection  with  up  to  OC-48  or  5  Gbps  aggregate  throughput  and  support 
for  up  to  1  million  concurrent  connections.  This  module  is  based  on  the  award-winning  Cisco 

PIX®  Firewall  technology. 

SSL  Services  Module 

Secures  Web  transactions  with  support  for  up  to  60,000  concurrent  connections  and  up  to 

4,000  new  connections  per  second. 

IP  Sec  VPN  Services  Module 

Provides  secure,  gigabit-rate  VPN  termination  and  traffic  encryption  to  connect  remote  offices 

and  mobile  users. 

Network  Analysis  Module 

Monitors  network  activity  in  a  gigabit  environment,  with  a  Web-based  traffic  analyzer  to  quickly 
identify  potential  security  threats  in  the  application  layer. 

Content  Switching  Module  (CSM) 

With  a  full  set  of  Layer  4-7  features,  the  Content  Switching  Module  (CSM)  integrates  advanced 
content  switching  into  the  Catalyst  6500  Series  to  provide  high-performance,  high-availability 
load  balancing  of  firewalls,  web  servers,  caches,  and  other  network  devices. 

N^lntrusion  Detection  System  (IDS)  Module 

Processes  network  traffic  directly  from  the  switch  backplane  to  detect  and  mitigate  network  intrusions. 

2 


Figure  1. 

For  an  extranet,  the  Catalyst  modules  can  replace  standalone  security  devices. 


•  High  Performance, 
High  Availability 
Integrated  Services 

•  Reduced  Rack  Space 
and  Cost  of  Ownership 

•  Ease  of  Deployment 


Data  Flow 


Vendor  Router 

L2  Switch 
Interface 

Firewall 

Intrusion 

Detection 

L3  Routed 
Interface 

Core 

Interconnect 

r-ai 

i 

E3* 

- - «  ^ 

11 0 

0E3 

Do  Standalone  Security  Devices  Still  Have  a 
Role  in  Your  Network? 

Although  the  arguments  are  compelling  for  moving  to  an 
integrated  security  design,  standalone  security  devices  still 
have  a  role  in  many  networks.  A  standalone  device,  such 
as  a  firewall  appliance,  may  be  just  the  right  solution  for 
a  specific  site  or  specialized  application. The  SAFE 
Blueprint  offers  guidance  for  choosing  between  integrated 
and  standalone  devices  to  meet  specific  security  needs. 


All  modules  are  based  on  Cisco's  powerful  node  switch  processor 
(NSP)  technology,  which  supports  greater  performance,  flexibility, 
and  functionality  than  competitive  products  based  on  application 
specific  integrated  circuit  (ASIC)  technology. 

The  Catalyst  6500  Series  security  modules  can  he  managed  by 
Cisco  network  management  products  as  well  as  selected  applica¬ 
tions  from  Cisco  ecosystem  partners.  The  integrated  security 
design  for  the  Catalyst  6500  Series  is  compatible  with  standalone 
security  appliances  from  Cisco,  including  Cisco  P1X  Firewalls  and 
Cisco  Intrusion  Protection  products. 

Two  types  of  enterprise  networks  provide  examples  for  applica¬ 
tions  of  integrated  security.  The  first  example,  shown  in  Figure  1, 
is  a  vendor  extranet  that  replaces  separate  devices  for  firewall  and 
intrusion  detection  with  the  appropriate  modules  on  a  Catalyst 
6509  switch.  In  this  example,  the  enterprise  can  eliminate  the 
costs  and  management  burden  of  separate  devices  while  realizing 
greater  operational  efficiency  and  return  on  investments  in  the 
Catalyst  6500  Series  switches. 

Will  Security  Processing  Impact  Switch  Performance? 

Given  the  ever-growing  traffic  volumes  and  demands  for  switch 
services,  network  managers  are  understandably  wary  about  adding 
new  functions  to  a  campus  switch.  Security  functions  require  high 
processing  capabilities,  leading  to  a  concern  about  their  impact  on 
switch  performance.  Cisco  has  addressed  this  concern  by  develop¬ 
ing  security  modules  that  no  longer  require  tradeoffs  in  network 
performance  for  increases  in  security.  The  newly  released  Cisco 
Catalyst  6500  security  modules  offer  the  fastest  performance 
available  today  for  security  throughput,  assuring  no  significant 
impact  on  switch  performance. 

From  a  network  manager’s  perspective,  additional  advantages  of 
security  integration  include: 

•  An  enhanced  networking  solution  through  integration  of  a  high- 
performance  Catalyst  6500  Series  switch  with  market-leading 
security  technology 

•  Protection  of  investments  in  Catalyst  and  NSP  technologies  with 
no  compromise  in  security  functions  or  network  performance 

•  Easy  integration  into  existing  Cisco  Catalyst  6500  Series 
switches 

•  Scalable  and  flexible  design  for  adding  security  functions  as  needed 

•  Tighter  integration  of  security  with  network  services  such  as 
traffic  policing  and  shaping 


3 


Why  Should  I  Place  Security  Functions  in  the 
Campus  Switch? 

A  natural  concern  of  security  managers  is  that  integrating  security 
functions  at  a  single  point — the  campus  switch — presents  a  risk 
in  itself.  Yet  the  advantages  of  integration  present  a  strong  case 
for  making  the  shift  from  standalone  devices.  For  a  security  man¬ 
ager,  the  advantages  of  integration  include: 

•  A  modular  design  that  enables  high  scalability  and  significantly 
reduced  costs,  operational  complexity,  and  management 
burden  compared  to  standalone  devices 

•  Security  services  that  are  adaptable  to  a  wide  range  of  network 
topologies  through  integration  of  diverse  security  modules 

•  Security  modules  deliver  performance  significantly  higher  than 
the  levels  offered  by  standalone  devices 

•  Performance  of  discrete  security  functions  can  be  increased  by 
installing  multiple  modules  of  a  single  type  (e.g.,  firewall) 

•  Network  growth  and  change  can  be  accommodated  easily  by 
adding  new  modules,  as  an  alternative  to  adding  standalone 
devices 

Choosing  an  Integrated  Security  Solution 

Cisco’s  integrated  approach  to  network  security  reflects  network¬ 
ing  leadership  that  will  enable  your  business  to  more  effectively 
meet  security  needs  today  and  well  into  the  future.  Cisco  is  the 
only  vendor  currently  offering  an  integrated  design  and  campus 
switch  modules  for  all  essential  aspects  of  network  security. 
Together,  the  Cisco  Catalyst  6500  Series  switches  and  integrated 
security  modules  deliver  an  outstanding  solution  for  campus  net¬ 
working  and  embedded,  integrated  network  security. 


Cisco  Systems  and  WebEx:  Extending  Integrated 
Network  Security  with  the  Catalyst  6500  Series 

Cisco  customer  WebEx  Communications,  Inc.  has  been 
testing  the  new  firewall,  VPN,  and  SSL  modules  for  the 
Cisco  Catalyst  6500  series.  "Our  testing  of  the  firewall 
module  so  far  has  shown  significantly  faster  sustained 
throughput  than  any  other  device  we  have  found  with 
similar  functionality,"  said  Hesham  Eassa,  Manager  of 
Network  Engineering  for  WebEx.  This  higher  level  of  fire¬ 
wall  performance  will  enable  WebEx  to  deploy  more  fire¬ 
walls  than  would  be  the  case  with  standalone  devices,  an 
important  consideration  for  this  operator  of  a  large,  global 
communications  network. 

Headquartered  in  San  Jose,  California,  WebEx  provides 
interactive  conferencing  services  over  the  telephone  or 
Web.  These  services  are  supported  by  a  Cisco  AVVID 
(Architecture  for  Voice,  Video  and  Data)  network  that  inte¬ 
grates  voice,  video,  and  data  for  enterprise  activities  such 
as  meetings,  presentations,  training,  and  collaboration. 


Talk  LIVE  to  Cisco  switching  and  security  experts  and 
learn  how  integrated  security  can  help  protect  YOUR 
network.  Register  at  www.cisco.com/go/SecurityTechTalk 


For  More  Information: 

Cisco  Catalyst  6500  Series:  www.cisco.com/go/Catalyst6500 
SAFE  Blueprint:  www.cisco.com/go/safe 


Cisco  Systems 


Corporate  Headquarters 

Cisco  Systems,  Inc. 

170  West  Tasman  Drive 
San  Jose,  CA  95134-1706 
USA 

www.cisco.com 
Tel:  408  526-4000 

800  553-NETS  (6387) 
Fax:  408  526-4100 


European  Headquarters 

Cisco  Systems  International  BV 
Haarlerbergpark 
Haarlerbergweg  13-19 
1101  CH  Amsterdam 
The  Netherlands 
www-europe.cisco.com 
Tel:  31  0  20  357  1000 
Fax:  31  0  20  357  1100 


Americas  Headquarters 

Cisco  Systems,  Inc. 

170  West  Tasman  Drive 
San  Jose,  CA  95134-1706 
USA 

www.cisco.com 
Tel:  408  526-7660 
Fax:  408  527-0883 


Asia  Pacific  Headquarters 

Cisco  Systems,  Inc. 
Capital  Tower 
168  Robinson  Road 
#22-01  to  #29-01 
Singapore  068912 
www.cisco.com 
Tel:  +65  317  7777 
Fax:  +65  317  7799 


Cisco  Systems  has  more  than  200  offices  in  the  following  countries  and  regions.  Addresses,  phone  numbers,  and  fax  numbers  are  listed  on  the 

Cisco.com  Web  site  at  www.cisco.com/go/offices. 

Argentina  •  Australia  •  Austria  •  Belgium  •  Brazil  •  Bulgaria  •  Canada  •  Chile  •  China  PRC  •  Colombia  •  Costa  Rica  •  Croatia  •  Czech  Republic 
Denmark  •  Dubai,  UAE  •  Finland  •  France  •  Germany  •  Greece  •  Hong  Kong  SAR  •  Hungary  •  India  •  Indonesia  •  Ireland  •  Israel  •  Italy 
Japan  •  Korea  •  Luxembourg  •  Malaysia  •  Mexico  •  The  Netherlands  •  New  Zealand  •  Norway  •  Peru  •  Philippines  •  Poland  •  Portugal 
Puerto  Rico  •  Romania  •  Russia  •  Saudi  Arabia  •  Scotland  •  Singapore  •  Slovakia  •  Slovenia  •  South  Africa  •  Spain  •  Sweden 
Switzerland  •  Taiwan  •  Thailand  •  Turkey  •  Ukraine  •  United  Kingdom  •  United  States  •  Venezuela  •  Vietnam  •  Zimbabwe 


Copyright  ©  2002,  Cisco  Systems,  Inc.  All  rights  reserved.  PIX  is  a  trademark;  and  Catalyst,  Cisco,  Cisco  IOS,  Cisco  Systems,  and  the  Cisco  Systems  logo  are  registered  trademarks  of  Cisco  Systems,  Inc.  and/or  its  affiliates 
in  the  U.S.  and  certain  other  countries.  All  other  trademarks  mentioned  in  this  document  are  the  property  of  their  respective  owners.  The  use  of  the  word  partner  does  not  imply  a  partnership  relationship  between  Cisco 
and  any  other  company.  (0206R) 


LW3380  8/02 


MANAGEMENT  OF  TEEHNOLOGIES 


SYMPOSIUM 


GUARDING  YOUR  BUSINESS: 

ENTERPRISE  ARCHITECTURES  FOR  SECURITY 


Never  has  the  need  for  security  been  so  great.  Never  has 
it  been  so  hard  for  management  to  understand  the 
requirements  and  allocate  the  necessary  resources  to 
safeguard  the  organization.  This  symposium  aims  to  bring 
technology  experts  and  managers  together  to  mutually 
explore  the  issues  and  best  approaches  to  protect  the 
information  and  physical  assets  of  the  organization. 

Highlights  include: 

•  A  day  tutorial  providing  an  overview  of  security 
technologies 

•  A  presentation  of  the  OCTAVE  security  risk  assessment 
approach  developed  recently  by  researchers  at  the  CERT 
Coordination  Center  of  Carnegie  Mellon’s  Software 
Engineering  Institute  (SEI). 

•  A  White  Paper  by  the  Information  Civil  Defense  Task  Force 
(ICDTF)  a  nation-wide  group  of  CIO’s  that  was  formed  in 
the  wake  of  September  1 1  to  ensure  that  business  is  bet¬ 
ter  able  to  cope  with  internal  and  external  security  threats. 

•  A  panel  of  Chief  Security  Officers  will  discuss  security 
issues  in  the  financial  services  industry. 

•  Exhibits  by  leading  security  vendors. 


KEYNOTE  SPEAKERS 

Sallie  McDonald 

is  Assistant  Commissioner  for 
the  Office  of  Information 
Assurance  and  Critical 
Infrastructure  Protection  in  the 
Federal  Technology  Service  in 
the  General  Services 
Administration  (GSA). 

Yalkin  Demirkaya 

has  fifteen  years  of  law 
enforcement  experience  as  a 
detective  as  well  as  a  detective 
squad  commander.  He  is  the 
founder  and  currently  the 
Commanding  Officer  of  the 
Computer  Crimes  Investigation 
Unit  of  one  of  the  largest  law 
enforcement  organizations  in 
the  world. 


Register  online  at 

http://attila.stevens-tech.edu/motsymposium 


INFORMATION 
&  REGISTRATION 

Melissa  Vinch 

Tel  201-216-5550 

fax  201-216-5385 

email:  mvinch@stevens-tech.edu 

http://attila.stevens-tech.edu 

MOT  SYMPOSIUM  2002 

Howe  School  of  Technology 
Management 

Stevens  Institute  of  Technology 
Castle  Point  on  the  Hudson 
Hoboken,  NJ  07030,  USA 


STEVENS 


Institute  of  Technology 


I 


Richard  Clarke  and  Howard  Schmidt 

are  charged  with  spreadingthe 
CSO’s  gospel  to  boardrooms 
across  the  land.  But  are  their 
policy  commandments  ones 
you  want  to  follow? 


BY  SARAH  D.  SCALET 


Last  September  11,  the  country  got  religion  when  it  came  to  information 
security— at  least  until  the  smoke  cleared.  Nevertheless,  from  their  new  pulpit  in 
the  White  House,  Richard  Clarke  and  Howard  Schmidt  are  still  trying  to  sell 


vendors,  executives,  politicians  and  ordinary  citi¬ 
zens  on  a  vision  of  a  more  secure  future.  And  con¬ 
verts  don’t  come  easily. 

“About  half  of  our  job  is  marketing,”  admits 
Clarke,  President  Bush’s  cybersecurity  adviser  and 
chairman  of  the  president’s  Critical  Infrastructure 
Protection  Board,  created  last  October.  Clarke,  51, 
made  his  name  as  President  Clinton’s  counter¬ 
terrorism  adviser  for  most  of  the  1990s;  vice  chair 
Howard  Schmidt,  52,  is  the  former  CSO  of 
Microsoft.  Together,  the  two  men  are  information 
security’s  most  prominent  preachers. 

These  days,  when  they  make  newspaper  head¬ 
lines  at  all,  it’s  for  reporting  doomsday  scenarios 


i  IN  THIS  STORY:  Security  specialists  Clarke  and 
Schmidt  discuss  the  FOIA  exemption,  the  case  for 
security  spending,  software  vendor  accountability 
and  measuring  progress  toward  national  security. 


about  cyberattacks.  At  worst,  their  comments 
seem  like  needlessly  alarmist  attempts  to  get  peo¬ 
ple  to  care  about  weaknesses  in  the  nation’s  finan¬ 
cial,  telecommunications,  transportation  systems 
and  other  pieces  of  the  critical  infrastructure.  At 
best,  for  CSOs,  they’re  preaching  to  the  choir. 

In  fact,  in  a  lot  of  ways,  the  duo’s  challenges 
aren’t  so  different  from  that  of  a  CSO.  Their  roles 
are  new,  their  power  is  limited,  and  their  future  is 
somewhat  uncertain  as  Homeland  Defense  under¬ 
goes  a  restructuring.  But  whereas  CSOs  are  influ¬ 
encing  policy,  spending  and  awareness  in  an 
organization  or  perhaps  an  industry,  Clarke  and 
Schmidt  do  so  for  the  nation. 

CSO  went  to  their  offices  two  blocks  west  of  the 
White  House  not  to  hear  their  spiel  about  why 
corporate  America  should  care  about  critical 
infrastructure  protection— you  already  know  that. 
Instead,  we  drilled  them  about  how  they  might 
use  their  power  to  influence  everything  from  a 


50  www.csoonline.com  September  2002 


National  Policy 


controversial  Freedom  of  Information  Act 
(FOIA)  exemption  to  vendor  accountability 
to  procurement  by  the  federal  government. 
What  they  had  to  say  may  surprise  you. 

CSO:  You’ve  said  that  the  FOIA  exemption  is 
the  single  most  important  policy  change  to 
improve  information  security.  [Editor’s 
note:  This  controversial  exemption  would 
ensure  that  information  given  to  the  federal 
government  about  computer  attacks  would 
not  be  made  public.]  Why  is  it  so  important? 
Richard  Clarke:  If  you  look  at  the  Nimda 
virus  last  fall— a  major  attack  that  caused 
billions  of  dollars  worth  of  losses  to  the  pri¬ 
vate  sector— not  one  company  called  us  up 
to  tell  us  they  had  been  attacked  because 
they  wanted  to  be  able  to  keep  it  secret. 

They  don't  want  their  customers  and  their 
stockholders  to  lose  confidence.  We  under¬ 
stand  that.  But  the  result  is  that  we  have  an 
inadequate  perception  of  what  is  going  on  in 
the  American  information  infrastructure. 

Sen.  Robert  Bennett  [R-Utah]  probably 
puts  it  best.  He  says,  Imagine  you  are  a  com¬ 
mander  in  charge  of  a  battlefield,  and  you 
can  only  know  about  15  percent  of  what  is 
going  on  in  that  battlefield.  How  could  you 
defend  yourself?  Well,  if  you  look  at  our  crit¬ 
ical  infrastructure,  about  85  percent  of  it  is 
in  the  private  sector,  and  unless  we  can  have 
some  knowledge  as  to  what’s  going  on 
there— like  attacks,  viruses,  worms,  denial- 
of-service  attacks— then  we’ll  never  be  able 
to  help  defend  it.  Only  by  getting  a  FOIA 
exemption,  narrowly  written,  will  we  ever  be 
able  to  persuade  companies  that  they  can 
trust  the  government  with  information 
about  vulnerabilities  or  hacks. 

Is  the  exemption  really  necessary? 

Clarke:  Do  you  mean,  are  there  already  ade¬ 
quate  provisions  in  the  law  that  would 
exempt  such  information  from  a  Freedom  of 
Information  Act  request?  Our  lawyers  say 
that  the  law  as  currently  written  would 
allow  us  to  protect  that  information.  But  it 
doesn’t  matter  what  our  lawyers  say.  Only 
by  having  corporate  lawyers  say  it  will  com¬ 
panies  be  persuaded  to  give  us  that  informa¬ 
tion.  The  companies’  lawyers  believe  they 
need  additional  protection;  therefore,  we 
need  to  get  additional  protection. 


If  the  law  does  pass,  will  an  onslaught  of 
people  begin  reporting  information  to  you? 
Howard  Schmidt:  It’s  hard  to  tell.  We  think 
in  some  cases  we’ll  have  companies  come 
forth  right  away.  In  other  cases  there  may  be 
some  hesitation;  the  general  counsels  of  the 
various  companies  will  have  to  look  even 


There’s  a  lot  of 
information  about  you 
and  me  in  computers  in 
federal  departments— 
from  military  records  to 
medical  records— so 
we  have  an  obligation 
to  protect  that 
information.  We  also 
have  an  obligation  to 
put  our  money  where 
our  policy  is.” 

-Richard  Clarke 


deeper  to  find  reasons  why  they  may  not  be 
able  to  share  information.  There’s  still  the 
perception  that  a  company’s  ability  to  secure 
itself  is  a  reputational  issue,  and  that’s  justi¬ 
fiable.  I’m  sure  there  will  be  a  little  bit  of 
giving  of  information,  seeing  how  that  plays 
out.  I  don't  think  it’s  suddenly  going  to  open 
the  floodgates. 

Are  you  advocating  any  kind  of  tax  benefits 
for  spending  on  security? 

Clarke:  No,  I  think  there’s  enough  benefit 
inherent  for  security  spending  that  we  don’t 
need  to  give  people  a  tax  break.  The  benefit 
comes  from  being  secure.  It’s  more  expen¬ 
sive  in  the  long  run  to  be  insecure. 

Is  that  a  hard  thing  to  sell  CFOs  on? 

Schmidt:  Not  at  all.  The  cost  to  recover  from 
a  virus  attack,  a  denial-of-service  attack  or 
an  intrusion  escalates  considerably  [from 


that  of  preventive  measures].  When  the 
Melissa  virus  hit  at  a  company  that  I  had 
some  insight  into,  it  took  about  $14  million 
worth  of  labor  effort,  reconstitution,  to 
bring  that  whole  system  up  online  after  10 
days.  [Later,  with  better  processes  in  place] 
when  Anna  Kournikova  hit  the  same  com¬ 
pany,  they  were  able  to  contain  it  within  30 
minutes.  That  30  minutes  translated  into 
about  $12,000  worth  of  effort— quite  a  dif¬ 
ference  from  $14  million.  That’s  why  the 
CFOs  are  saying,  Hmm,  it  might  cost  me  on 
the  front  end  to  do  some  risk  management, 
but  in  the  long  term,  I’m  going  to  save 
money  and  reduce  total  cost  of  ownership. 

As  sad  as  it  is  to  say,  it  seems  like  the 
viruses  and  worms  have  actually  helped  as 
far  as  demonstrating  that  ROI. 

Clarke:  I  think  there’s  a  silver  lining  to  some 
of  them  because  you  know  when  you  get  hit. 
Frequently,  when  people  penetrate  net¬ 
works,  we  don’t  know  it  because  they’re  suc¬ 
cessful  at  it.  They  don’t  leave  traces.  It’s 
helpful  when  we  have  major  viruses  and 
worms  and  denial-of-service  attacks  because 
they’re  noisy  and  leave  fingerprints,  and  we 
know  it’s  out  there.  People  are  then  moti¬ 
vated  to  fix  it.  But  that’s  not  the  case  when 
you  have  stealthy  penetrations  that  leave 
back  doors,  Trojan  horses,  logic  bombs. 

What’s  the  administration’s  position  on 
holding  vendors  accountable  for  products 
that  aren’t  secure?  And  liability  for  prod- 


52  www.csooniine.com  September  2002 


ucts  that  aren’t  secure? 

Clarke:  Those  are  two  related  but  separate 
issues.  One  is  holding  vendors  accountable, 
and  one  is  doing  it  in  court.  We  are  very 
much  in  favor  of  holding  vendors  account¬ 
able.  When  a  product  fails,  the  vendor  has  a 
responsibility  to  quickly  identify  a  way  of 
fixing  it  and  getting  that  patch  out.  And  the 
patch  not  only  should  fix  the  problem,  it 
shouldn’t  interact  badly  with  other  widely 
utilized  applications.  It  does  us  no  good  to 
get  a  patch  that  solves  the  vulnerability  but 
then  makes  it  impossible  to  use  applications 
from  other  companies. 

It’s  not  terribly  valuable  to  litigate  these 
problems.  We’d  like  to  find  solutions  that 
are  quicker  than  long,  multiyear  litigation. 
Schmidt:  There  are  two  other  components. 
One  of  those  is  the  market  drivers  that 
would  induce  people  to  be  more  careful  and 
more  responsive.  People  want  to  buy  the 
things  for  which  they  have  the  best  support. 
When  you  buy  a  car,  if  it  doesn’t  work  well, 
you’re  going  to  think  twice  before  you  buy 
from  that  maker  the  next  time. 

The  second  piece  is  if  you  look  at  the 
identification  of  what  might  be  wrong  with 
something.  After  Nimda,  an  informal  survey 
asked  those  affected,  Why  were  you  affected, 
when  the  patches  had  been  out  for  so  long? 
The  number-one  answer  was,  people  didn’t 
know  that  they  needed  to  have  the  patches 
installed,  which  goes  back  to  the  accounta¬ 
bility  to  the  vendors. 

What  else  is  involved  with  convincing  the 
vendors  to  create  more  secure  products? 
Clarke:  The  vendors  tell  us,  We  could  create 
more  secure  products,  but  no  one  wants 
them.  Then  we  talk  to  the  procurement  peo¬ 
ple— those  in  banking,  finance,  energy,  gov¬ 
ernment— and  ask,  Do  you  want  more 
secure  products?  And  they  say,  Yes!  but  the 
vendors  won’t  make  them.  That’s  the  dia¬ 
logue  of  the  deaf  that  Howard  and  I  try  to 
bridge.  We  take  the  critical  infrastructure 
procurement  people  and  the  vendors  by  the 
hand  and  say,  Let’s  agree  that  we’re  going  to 
have  more  secure  products.  There’s  actually 
a  real  role  for  us  to  bring  people  together  to 
have  dialogues  that  you  would  think  would 
naturally  occur.  We  also  have  a  role  that  I 
call  the  honeybee  role — we  fly  around  flower 


to  flower  proliferating  the  message  and 
sharing  information,  so  that  we’re  able  to 
learn  what  products  are  out  there.  We  don’t 
recommend  certain  kinds  of  brands,  but  we 
do  recommend  certain  kinds  of  services. 


Beyond  Anti-virus  Protection  -  securiQ 


John  Gilligan,  the  CIO  of  the  Air  Force, 
recently  threatened  to  stop  using  Microsoft 
products  until  they  became  more  secure. 
We’ve  heard  similar  rumblings  from  others. 
How  feasible  is  it  to  force  government  agen¬ 
cies  to  buy  only  certain  products? 

Clarke:  The  federal  government  tried  20 
years  ago  to  only  procure  IT  products  that 
were  security-certified.  It  didn’t  work 
because  very  few  of  the  products  could  get 
certified  in  a  timely  manner.  Exceptions 
were  granted  because  people  could  demon¬ 
strate  that  there  was  no  product  available. 

So  it  became  something  of  a  farce. 

We’re  looking  at  whether  we  could  do  it 
in  a  smarter  way.  We  don’t  want  to  jump 
headlong  into  a  full-up  system  of  only  pro¬ 
curing  things  that  meet  certain  standards, 
but  we  do  think  there’s  a  role  for  smart  pro¬ 
curement.  We  think  that  if  there  is  a  prod¬ 
uct  that  has  been  certified  under  the  NIAP 
[National  Information  Assurance  Partner¬ 
ship]  program  of  the  Commerce  Depart¬ 
ment,  it  ought  to  be  given  an  advantage. 

Under  the  NIAP,  you  can  bring  your 
product,  software  or  hardware,  to  a  federally 
approved  laboratory  for  testing,  and  if  it 
passes,  then  it’s  NIAP-certified.  It  used  to  be 
that  the  federal  government  did  the  testing 
itself,  but  there  were  so  few  people  who 
could  do  the  testing  in  the  federal  govern¬ 
ment  that  it  took  a  long  time.  So  what  we’ve 
done  now  is  the  federal  government  certifies 
private  sector  laboratories  to  do  the  testing, 
so  there  are  many  more  places  to  do  the 
testing,  and  there  have  been  a  few  products 
certified.  You  can  find  them  on  the  NIAP 
webpage.  [That  program]  is  about  5  years 
old.  We  are  looking  at  whether  we  can  get 
more  products  certified  and  select  some  key 
products,  and  only  have  the  federal  govern¬ 
ment  procure  certified  products  in  key  areas. 
Schmidt:  We’ve  seen  the  evolution  of  attacks 
against  our  IT  systems.  Each  generation  of 
products  gets  better  and  better  at  resisting 
those  things,  but  it  still  takes  time  to  get 
these  things  created,  identified,  coded, 

September  2002  www.csoonline.com  53 


For  all  your  e-mail  security  challenges 
■  content  filtering 


■  image  scanning 

■  spam  blocking 
e  archiving 

»  enhanced  virus  protection 


encryption 
legal  liability 


Protect  Your  Messaging  Platform  Today. 
Be  Prepared  for  Tomorrow. 


securiQ  -  Maximum  E-mail  Security. 


Call  Toll  Free  -  877  -  GROUP  -  55 


www.group-software.ebm 


’’%s\ 


•  ■  '  ■■  ■■ 


vyt; • 


’  i  v  (  •  .  :-'J  *•  .  ;  .<■  :/•  ■  ..»*  ...  •.  “  f  • 

'  ,  ,*v  y  .  :•  ;  ."•••. >  •: 


-  ■■  ■  :■  -ifi  fiv  WW’.v 

W:  ‘  A  .':,x  ,  ;•  y  .y  ■  ■ 

.vr  • '  - 


’X  : 


TECHNOLOGIES 

ffW ;  *.  'Kte-sr- 


In  telligeme  Jdr  e-rn^iK  yf ' ,  ' 

•  .■ ,  ■  f  ‘he  •  ■  ! 


,  .4,  ... 


V 


National  Policy 


shipped  and  then  out  to  the  public.  If  we 
were  to  say,  Turn  off  the  spigot  of  technol¬ 
ogy  coming  into  the  government,  we’d  be 
shooting  ourselves  in  the  foot,  because  the 
next  generation  is  going  to  be  better  than 
the  one  that  were  currently  running,  and 
oftentimes  you’re  running  two  generations 
behind  to  begin  with.  So  we  have  to  look  at 
the  balance  about  what  do  we  need  to  do  to 
look  at  the  smart  procurement,  while  phas¬ 
ing  in  a  higher  level  of  standard  and  making 
sure  the  product  is  going  to  meet  our  needs 
today  and  not  have  to  sit  in  a  static  mode  for 
five  years  while  we’re  waiting  for  things  to 
catch  up— waiting  for  the  approval  process, 
waiting  for  people  to  make  changes  in  their 
product  to  meet  the  threats  of  the  day. 

And  then  what  about  the  old  adage  that 
you  don’t  know  what  you  don’t  know.  Both 
of  us  get  asked  all  the  time,  What  do  you  see 
as  the  next  generation  of  attacks?  Well,  you 
don’t  know  what  you  don’t  know.  It  could  be 
something  we’re  not  aware  of— it  takes  place 
down  the  road.  And  say,  if  that  does  occur, 
then  all  the  sudden  those  products  that  have 
been  certified  are  no  longer  valid.  So  we 
have  to  balance  all  those  things  into  it,  and 
it  goes  back  to— that  core  thing  I  mentioned 
earlier— using  the  bright  people  from  gov¬ 
ernment,  academia  and  industry  all  together 
to  figure  out  how  to  make  this  work  today  as 
well  as  in  the  future. 

If  you  look  at  the  state  of  critical  infrastruc¬ 
ture  on  Sept.  10  versus  now,  what  have  the 
concrete  accomplishments  been? 

Clarke:  I  think  we  can  point  to  measurable 
improvements  with  the  federal  govern¬ 
ment’s  security  in  its  cyberspace  networks. 
The  budget  the  president  sent  to  Congress 
in  February  asks  for  a  64  percent  increase  in 
funding  to  defend  federal  departments  and 
agencies.  That’s  almost  6  percent  of  the  fed¬ 


eral  IT  budget  on  IT  security.  We’re  trying 
to  do  two  things  with  that.  Obviously  we’re 
trying  to  fix  very  serious  problems  that  the 
federal  departments  have.  But  we’re  also 
trying  to  set  a  model  for  the  private  sector, 
for  members  of  corporate  boards  of  direc¬ 
tors,  for  CEOs.  We  want  them  to  see  that 
the  federal  government  is  spending  6  per¬ 
cent  of  its  IT  budget  on  IT  security  and  ask, 
What  are  we  doing  at  our  company?  Unfor¬ 
tunately  most  companies  are  not  going  to  be 
able  to  say  that  they’re  spending  anywhere 
near  6  percent  on  security. 

You  quote  a  report  that  most  companies 
spend  more  on  coffee  than  on  security.  Is 
6  percent  a  benchmark?  A  catch-up? 

Clarke:  It’s  catch-up  for  the  federal  govern¬ 
ment,  and  it  won’t  be  enough  if  we  don’t 
sustain  it  or  perhaps  even  raise  it  over  sev¬ 
eral  years.  There’s  no  good  figure  that  is 
appropriate  for  every  company  or  every 
institution.  That’s  why  we’re  not  saying 
6  percent  is  the  target.  We’re  saying  that 
every  CEO  and  every  member  of  the  board 
of  directors  should  be  asking  the  question, 
How  much  is  enough  for  my  company? 

The  federal  government’s  security  is  some¬ 
times  questionable.  How  much  should  fed¬ 
eral  agencies  be  a  role  model? 

Clarke:  We’d  like  federal  agencies  to  be  a 
role  model,  and  unfortunately  with  few 
exceptions  they’ve  been  a  model  of  how  not 
to  do  it.  That’s  why  President  Bush  is  so 
committed  to  fixing  that  problem.  We  have 
legal  responsibilities  to  protect  the  informa¬ 
tion  in  federal  departments.  There’s  a  lot  of 
information  about  you  and  me  in  computers 
in  federal  departments— from  our  military 
records  to  our  medical  records— so  we  have 
an  obligation  to  the  American  people  to  pro¬ 
tect  their  information.  We  also  have  an  obli¬ 


CFOs  are  saying,  Hmm,  it  might  cost  me  on  the 
front  end  to  do  some  risk  management,  but  in  the 
long  term,  I’m  going  to  save  money  and  reduce 
total  cost  of  ownership.” 

-Howard  Schmidt 


gation  to  put  our  money  where  our  policy  is. 
For  the  first  time  with  President  Bush’s 
budget,  we’re  doing  that. 

How  do  you  measure  improvement? 

Clarke:  There  are  probably  guideposts  along 
the  way,  but  there  aren’t  measures  of  effec¬ 
tiveness  that  are  more  than  anecdotal.  You 
can  look  at  the  number  of  computer  inci¬ 
dents;  you  can  look  at  the  dollar  value  of 
damage  done  by  those  incidents.  Unfortu¬ 
nately  those  numbers  are  skyrocketing. 

That  doesn’t  mean  that  we’re  not  making 
progress.  If  you  look  at  traditional  measures 
of  effectiveness  as  how  many  incidents  do 
you  have  and  how  bad  are  they,  that  would 
tell  you  we’re  getting  worse.  And  we  are  in 
some  respects  getting  worse.  The  number  of 
people  who  are  connected,  the  number  of 
functions  connected  to  the  Internet  are 
going  up,  and  the  sophistication  of  the 
attack  tools  as  well.  At  the  same  time,  we’re 
making  progress,  getting  the  message  out, 
getting  more  CEOs  to  care,  getting  the  hard¬ 
ware  and  software  manufacturers  to  develop 
more  secure  systems. 

Schmidt:  If  you  have  a  metric  in  which  you 
identify  the  number  of  viruses  found  when 
you  scan  systems,  is  a  lower  number  good  or 
is  a  higher  number  good?  That’s  the  chal¬ 
lenge  when  you  develop  metrics  like  that.  If 


54  www.csoonline.com  September  2002 


you’re  not  catching  many  viruses,  does  it 
mean  they’re  not  there  or  that  they’re  not 
affecting  you?  If  you’re  catching  a  whole 
bunch,  does  it  mean  you  have  a  system  that 
allows  those  things  to  proliferate? 

The  other  challenge  is  quantifying  a  neg¬ 
ative:  How  many  burglaries  have  I  pre¬ 
vented  by  having  extra  police  cars  on  the 
street?  If  you  don’t  get  broken  into,  that’s  a 
good  thing,  but  was  it  because  you  did  the 
right  thing,  or  because  they  were  hitting 
somebody  else  at  the  same  time?  One  of  the 
things  Dick  and  I  look  at  collectively  is,  is 
there  indeed  a  metric  that  we  can  use  to 
identify  when  we’re  getting  better,  and  if  so, 
how  can  we  get  that  proliferated  so  that 
people  have  a  better  sense  of  good,  bad  or 
indifferent  when  it  comes  to  metrics 
involved  with  security. 

Clarke:  Then  there’s  the  unknown.  Have  our 
enemies  penetrated  our  critical  infrastruc¬ 
ture  successfully  and  we  don't  know  it?  If 
there’s  a  big  conflict  between  us  and  them, 
are  they  already  in  a  position  where  they  can 
disable  our  critical  infrastructure?  We  don’t 
know.  I’d  be  surprised  if  somebody  hadn’t 
tried  it. 

Who  are  the  enemies? 

Clarke:  We’ve  stopped  asking  that  question, 
and  I  think  it’s  important  to  stop  asking  that 
question.  Before  Sept.  11,  people  thought  in 
terms  of  a  threat  paradigm:  Who  are  the 
enemies,  and  when  are  they  going  to  do  it, 
and  where,  and  what  are  they  going  to  do? 
And  they  waited  for  that  information  before 
they  acted.  So,  tell  me  the  name  of  the  ter¬ 
rorist  group,  tell  me  what  airplane  they’re 
going  to  hijack,  what  city  they’re  going  to 
attack,  when  this  is  going  to  occur,  and  then 
I’ll  do  something  to  prevent  it.  Well,  as  we 
learned  on  Sept.  11,  it’s  too  late  frequently. 
Or  you  never  get  the  information  at  all,  and 
the  attack  just  occurs.  We’re  therefore  advo¬ 
cating  rather  than  the  traditional  threat  par¬ 
adigm  of  who,  what,  when,  where,  a 
vulnerability  paradigm  that  says,  Don’t 
worry  about  who’s  going  to  do  it,  because 
the  person  who’s  going  to  attack  you  may 
not  even  know  it  yet.  Don’t  worry  about 
when  it’s  going  to  occur.  Don’t  worry  about 
where  and  what  they’re  going  to  do.  Ask 
yourself  what  your  vulnerabilities  are.  And 


then  find  that  intersection  between  the 
things  that  are  the  most  vulnerable  and  the 
things  that  would  be  the  most  damaging.  It’s 
a  shift  from  who,  when  and  where,  to  where 
are  my  weaknesses,  and  what  are  the  most 
important  weaknesses  that  I  have? 

So  it’s  really  self-reflection  as  opposed  to...? 
Clarke:  As  opposed  to  intelligence  collection 
about  the  enemy.  Because,  as  Howard  says, 
many  of  these  things  take  years  to  fix,  and 
people  who  are  not  now  actively  our  enemy 
may  be  three  or  five  years  from  now.  If  all 
we  do  is  collect  intelligence  about  people  we 
think  are  our  enemies,  we  may  miss  what  we 
should  be  doing. 

I  notice  the  word  cyberterrorism  has  not 
come  up. 

Clarke:  I  don’t  use  it  because  it  tends  to 
cause  people  to  think  that  the  enemy  is 
terrorists,  and  particularly  terrorists  groups 
that  they  identify  and  know  about  like 
al-Qaida  or  Hamas.  There’s  a  whole  spec¬ 
trum  of  threats  from  the  joy  rider  on  the 
Internet  that  does  Web  defacements,  to  the 
person  engaged  in  extortion,  theft,  fraud, 
industrial  espionage,  national  intelligence 
espionage  to  information  warfare.  We  have 
to  worry  about  most  of  that  spectrum,  and 
most  of  the  actors  that  you  find  on  that 
spectrum  are  not  people  from  terrorist 
groups.  The  other  thing  is  you  wind  up  not 
knowing  the  noise,  what  is  dramatic  at  this 
moment  or  what  just  merely  is  a  prelude  to 
something  that’s  going  to  be  more  dramatic 
in  the  future.  That’s  one  of  the  challenges 
we’ve  always  had  in  tracking  these  down- 
do  you  chase  everything  that  happens,  in  the 
event  that  something  will  be  more  dramatic 
later  on,  or  do  you  take  the  really  dramatic 
looking  stuff  now?  The  bottom  line  is  you 
never  know.  The  term  that  I  jokingly  use  is, 
until  you  put  the  “habeas  grabus”  on  some¬ 
body  and  find  out  their  intent,  they  could 
just  be  another  joy  rider  out  there.  ■ 

Contact  Senior  Writer  Sarah  Scalet  at  sscaletWcxo.com. 


View  a  webcast  from  CXO  Media's  EXECUTIVE 
POLICY  FORUM  3,  where  government  and  cor¬ 
porate  leaders  discussed  protecting  the  home¬ 
land.  Go  to  www.csoonline.com/printlinks. 


September  2002  www.csoonline.com  55 


£*»HJ 


Beyond  E-mail  Security  -  iQ.Suite 


35  billion  e-mails  will  be  sent  daily 


Get  ready  with  iQ.Suite  for  all  your 


e-mail  and  business  process  security. 


organization,  and  management 


Protect  Your  Messaging  Platform  Today. 


Be  Prepared  for  Tomorrow. 


iQ.Suite  -  Maximum  E-mail  Security, 


Organization  and  Management 


Source:  International  Data  Corporation 


Call  Toll  Free  -  877  -  GROUP  -  55 

www.group-software.com 


TECHNOLOGIES 


Intelligence  for  e-mail 


'  v  .-.jjsj 

|  .  - 


^wyitw  csooqiin e. coin 

■'  C  ■:  te  '.T  •  :  .■  :  i'- 


PHOTOGRAPHY  BY  RON  HOLTZ 


Krizi  Trivisani  proves  you  don’t 
need  to  be  a  superhero  to  f  ight  the 
ever-rising  number  of  security 
violations  at  your  organization. 

As  security  chief  at  The  George 
Washington  University,  she 
focuses  on  the  softer  ski  I  Is— I  i  ke 
communicating  with  students, 
professors  and  administrators— 
to  help  her  battle  real-life  villains. 


Profile  |  The  George  Washington  University 


nformation  Security  Officer  Krizi  Trivisani  could  be 
any  self-assured  graduate  student  at  The  George 
Washington  University.  Sashaying  through  the  hall¬ 
ways  dressed  in  a  white  sweater,  short  striped  skirt 


and  funky  glasses,  she  heads  toward  her  mod¬ 
est  cubicle  in  the  subbasement  of  the  Acade¬ 
mic  Center  singing  “he-llo”  to  almost  everyone 
she  sees.  She  isn’t  your  typical  security  officer, 
and  she  knows  it.  “I  remember  sitting  on  one 
roundtable  [of  security  experts]  last  year,  and 
if  you  looked  around  the  table  you’d  see  man 
in  suit,  man  in  suit,  man  in  suit— who’s  that 
chick  at  the  end?”  says  the  32-year-old  Triv¬ 
isani.  “Which  one  of  these  doesn’t  belong?” 

The  fact  that  she  is  making  herself  belong 
says  much  about  her  talents.  At  two  reporting 
levels  below  the  CIO,  in  a  job  grade  that 
doesn’t  require  a  college  degree  (she  has  a  cer¬ 
tification  for  the  information  systems  secu¬ 
rity  professional,  or  CISSP,  but  has  not 
finished  college),  Trivisani  has  none  of  the 
built-in  authority  of  an  administrator  or  exec¬ 
utive,  and  none  of  the  bullying  power  of  an  ex¬ 
cop.  But  she  has  something  else  that  may  turn 
out  to  be  more  important:  She  can  connect 
with  people.  When  she  talks  about  security, 
people  listen— and  even  understand. 

That’s  a  good  thing,  because  a  lot  more  is  at 
stake  than  a  dormitory  mini-fridge  chilling  a 
few  illegal  Coronas.  Based  in  Washington, 
D.C.,  The  George  Washington  University 
(GW)  is  on  the  front  lines  of  the  hacker  battle. 
“You  have  a  fast  pipe  and  no  money  to  secure 
it,”  is  how  SANS  Director  of  Training  Stephen 
Northcutt  sums  up  the  famed  insecurity  of 
university  computer  systems.  Higher  educa¬ 
tion  is  known  for  having  large,  fast,  heteroge¬ 
neous,  open  systems  whose  transient  users 
enjoy  privacy  protection  that  most  corporate 
users  only  dream  of.  That  makes  them  popu¬ 
lar  targets  for  vandals  and  hackers  who  want 
to  launch  denial-of-service  attacks,  store  ille¬ 
gal  files— or  worse.  Last  spring,  the  Secret  Ser¬ 
vice  began  investigating  who  had  installed 
keystroke  capturing  software  at  university 
computer  labs  in  at  least  four  states— “spy- 
ware”  that  would  allow  crooks  to  grab  per¬ 
sonal  information  from  any  student  who  typed 
it  in.  Meanwhile,  Purdue  University,  one  of 
the  nation’s  foremost  information  security 


training  labs,  was  looking  into  whether  hack¬ 
ers  had  stolen  the  names,  addresses  and  Social 
Security  numbers  of  145,000  students.  All 
this  led  some  experts  to  fear  that  the  next 
wave  of  computer  crime  would  involve  poorly 
secured  university  computers  used  to  launch 
attacks  on  the  U.S.  government  or  the  nation’s 
critical  infrastructure. 

To  prevent  just  that,  Trivisani  is  fighting  an 
exponentially  growing  number  of  security  vio¬ 
lations  on  campus.  And  she’s  betting  that  in  the 
battle  against  online  villains,  awareness  and 
education  are  her  best— and  only— weapons. 

A  New  Kind  of  Fire  Drill 

Information  security  scaled  its  way  into  the 
nation’s  ivory  towers  in  the  spring  of  2000, 
when  eBay,  Yahoo  and  other  websites  were 
brought  down  by  a  high-profile  string  of  dis¬ 
tributed  denial-of-service  (DDOS)  attacks. 


Before,  a  security  breach  at  a  university  usu¬ 
ally  meant  that  someone  had  pulled  the  fire 
alarm  at  a  residence  hall  at  2  a.m.  The  DDOS 
attacks— in  which  hackers  often  hijacked  uni¬ 
versity  systems  to  overload  an  e-tailer’s  Web 
servers  with  so  many  bogus  requests  that  they 
couldn’t  respond  to  real  ones— brought  to  light 
the  vulnerability  of  the  nation’s  universities. 

Around  that  time,  GW  CIO  David  G. 
Swartz  had  been  advocating  the  creation  of  an 
information  security  officer  role,  a  position 
he  had  decided  should  be  part  of  IT  because 
the  audit  and  compliance  offices  would  pro¬ 
vide  needed  checks  and  balances.  The  timing 
was  a  coincidence,  but  a  fortunate  one.  “We’ve 
always  leveraged  the  crisis,”  he  says. 

Trivisani’s  fascination  with  security  traces 
back  to  a  day  in  the  early  1990s  when,  as  a 


supervisor  for  a  branch  of  Nation’s  Bank  in 
Maryland,  she  recognized  a  woman  at  the 
drive-through  who  had  been  forging  checks. 
Trivisani  called  the  cops  and  stalled  for  time, 
telling  the  woman  that  she  had  to  go  get  a  roll 
of  quarters.  The  police  arrived  and  arrested 
the  woman,  but  the  sad  tale  only  then  began 
to  really  unfold.  The  woman  had  left  her 
infant  at  a  crack  house  as  collateral  for  drugs. 
The  police  worked  with  the  woman’s  husband, 
who  had  reported  the  infant  missing,  to  get 
her  back  before  raiding  the  house  for  drugs. 
“There  are  so  many  other  people  affected  by 
security  issues,”  she  says. 

After  that,  Trivisani  got  more  involved  with 
fraud  prevention  and  information  security  and 
eventually  took  a  security  job  with  the  IT  serv¬ 
ices  company  EDS.  Then,  in  May  2000,  she 
became  information  security  officer  for  GW, 
reporting  to  CTO  Guy  Jones,  who  oversees  a 
decentralized  infrastructure  that  includes 
13,000  Ethernet  data  connections  that  hook 
up  all  kinds  of  student  and  faculty  computers, 
12,000  telephone  connections  and  30,000  e- 
mail  accounts,  and  Internet  connections  as 
fast  as  155Mbps,  with  talk  of  pipes  that  carry 
lGBps.  And  all  of  this  has  to  be  secured,  while 


giving  users  as  much  privacy  and  academic 
freedom  as  possible. 

Trivisani  started  a  security  awareness  cam¬ 
paign  almost  immediately.  Now,  departments 
are  beginning  to  ask  her  for  help  improving 
their  security,  and  her  group  is  further  boosted 
by  the  fact  that  it’s  been  a  year  and  a  half  since 
the  university  has  had  a  security-related  net¬ 
work  outage.  But  there’s  still  a  long  way  to  go 
in  convincing  everyone— from  tenured  pro¬ 
fessors  to  incoming  freshmen  to  network 
administrators— to  care  about  security. 

Violations.. .Times  Two 

If  an  alcoholic’s  first  step  is  admitting  that  he 
has  a  problem,  the  security  officer’s  first  step 
is  finding  out  how  big  the  problem  is,  and 
Trivisani  started  by  counting  and  categorizing 


“If  a  CSO  walks  onto  campus 

and  says,  ‘I  am  God,’ 


58  www.csoonline.com  September  2002 


it’s  not  going  to  work.” 


-KRIZI  TRIVISANI 


the  security  violations  plaguing  the  univer¬ 
sity.  Then  “we  block  ’em,  we  stop  ’em,  we  work 
the  cases,”  says  Trivisani,  a  5-foot-8-inch 
extrovert  with  long  blond  hair  and  a  distinctly 
casual  demeanor. 

Many  of  the  violations  are  reported  to 
abme@gwu.edu,  a  standard  handle  that  many 
organizations  use  for  security  information. 
Others  come  from  phone  calls  and  system  logs. 
All  are  recorded  in  the  eight  pages  of  metrics 
and  graphs  that  Trivisani  and  her  staff  produce 
each  month.  Except  in  cases  of  severe  infection, 
the  numbers  don’t  include  viruses  and  worms, 
which  Trivisani  estimates  are  carried  in  (and 


filtered  out  of)  1  percent  of  e-mails. 

In  2001,  the  first  year  that  numbers  were 
available,  the  university  logged  46,378  security 
violations.  Two-thirds  of  those  violations  were 
minor,  including  port  scans,  blocked  attempts 
to  exploit  specific  vulnerabilities  and  suspi¬ 
cious  activity  that  may  be  only  a  user  error. 
Quite  a  few  others  were  complaints  about 
spam,  a  particular  irritant  for  Trivisani,  who 
tries  to  block  as  much  spam  as  possible  and 
forwards  e-mails  about  illegal  activity  to  the 
authorities.  (“Spam  legislation,  please  Lord, 
we  need  spam  legislation!”  she  likes  to  ex¬ 
claim,  gazing  up  toward  the  acoustic  ceiling 


panels.)  Only  21  of  the  violations  were  severe 
hack  attempts,  all  of  which  were  boxes  com¬ 
promised  by  external  sources  and  used  to 
attack  other  areas.  The  CIO  and  CTO  don’t 
want  to  know  about  most  of  the  violations, 
but  Trivisani  gets  them  involved  with  the  seri¬ 
ous  ones,  although  she  refused  to  give  details 
for  publication. 

For  2002,  Trivisani  expects  the  number  of 
violations  to  double  to  about  100,000— as 
long  as  there’s  not  another  worm  on  the  scale 
of  Code  Red,  in  which  case  that  number  could 
triple.  “It’s  been  a  little  while— and  that  is  not 
a  challenge  to  hackers!  When  it  gets  too  quiet 
and  nothing  has  come  out  in  a  while,  we  get 
nervous.  You’re  just  waiting  for  the  other  shoe 
to  drop,”  she  says. 

Dramatic  as  they  are,  the  numbers  make 


September  2002  www.csoonline.com  59 


Profile  |  The  George  Washington  University 


“It’s  not  our  job  to  punish  people; 


her  CIO  happy  in  that  peculiar  way  of  those 
who  love  metrics.  “Now  that  Krizi  is  on  board, 
we  have  some  data,”  says  Swartz,  who  is  heart¬ 
ened  to  find  out  that  GW’s  numbers  roughly 
mirror  national  estimates.  “The  increasing 
number  of  violations  is  happening  nationally,” 
he  says.  “I  think  we’re  far  ahead  of  other  uni¬ 
versities.  Now  how  do  you  measure  that?  You 
measure  that  because  [at  other  universities] 
there’s  truly  a  lack  of  awareness  of  what’s  hap¬ 
pening.  Can  you  break  it  into  the  subcategories 
that  we  can?  [Trivisani’s]  got  a  good  handle  on 
it,  not  just  violations  but  by  category.” 

Their  Best  Weapon 

Of  course  it’s  not  enough  just  to  know  about 
security  violations.  Trivisani  and  her  team 
have  to  do  something  about  them.  And  that’s 
where  things  get  sticky,  because  the  crime- 
and-punishment  routine  doesn’t  tend  to  be 
popular.  “We  took  it  for  granted  that  people 
wouldn’t  like  us,”  says  Senior  IS  Engineer 
Truyen  Pham  during  lunch  with  Trivisani, 
CTO  Jones  and  a  half-dozen  IT  staffers  who 
volunteered  (or  were  volunteered)  for  security 
detail  after  Trivisani  became  security  officer. 

If  the  stereotypical  security  luncheon  is  filled 
with  pale  but  tough-mannered  men,  this  one 
looks  more  like  a  Unitarian  church  group,  with 
various  ages  and  colors.  Pham  worked  as  a 
doctor  in  Vietnam,  arrived  in  the  United  States 
with  no  money  and  worked  his  way  up  at  the 
university.  Last  spring,  he  won  GW s  presti¬ 
gious  Presidential  Award,  in  part  for  his  work 
setting  up  GW s  infrastructure  network,  build¬ 
ing  a  service  for  off-campus  users  to  access 
GW s  computer  resources  and  installing  virus 
filtering  on  the  e-mail  servers.  During  dessert, 
he  dumps  a  spoonful  of  cappuccino  onto  his  ice 
cream,  then  squeezes  a  lemon  garnish  over  the 
concoction.  He  gives  a  sly  grin  and  says  that  the 
job  takes  creativity.  If  someone’s  computer  is 
attacked,  don’t  blame  her,  he  says;  help  her. 
Someone  else  can  worry  about  who’s  at  fault. 

“It’s  not  our  job  to  come  in  and  punish  peo¬ 
ple,”  Trivisani  explains.  “We’re  here  to  pro¬ 
tect.  She  passes  on  details  about  serious 
security  violations  to  the  appropriate  group— 
usually  the  university  police  department  and 


sometimes  student  services— and  doesn’t  want 
to  know  what  steps  are  taken  from  there. 

Overall,  she’s  trying  to  protect  her  users 
with  a  burgeoning  education  and  awareness 
program— the  “human  firewall”  concept  advo¬ 
cated  by  a  council  with  that  name,  of  which 
she  is  a  member.  The  idea  behind  Trivisani’s 
philosophy  and  that  of  the  Human  Firewall 
Council  is  that  users,  not  technology,  are  the 
best  line  of  defense  in  information  security. 

That’s  why,  on  a  muggy  summer  morning, 
you’re  just  as  likely  to  find  Trivisani  at  tech¬ 
nology  orientation  for  new  students  as  you 
are  to  find  her  poring  over  policy  or  budget 
issues.  At  one  session  in  late  June,  a  couple 
dozen  students  and  their  parents  showed  up 
at  10  a.m.  to  an  air-conditioned  auditorium  in 
the  student  union.  The  only  questions  were 
from  parents  trying  to  figure  out  what  kind  of 
computer  to  buy  for  their  children,  but  Triv¬ 
isani  was  unperturbed  as  she  waited  around 
afterward  in  case  anyone  had  questions,  using 
the  time  to  encourage  university  staff  mem¬ 
bers  who  had  addressed  the  group.  She  wants 
to  make  herself  accessible.  “We’ve  put  a  lot  of 
processes  in  place  to  protect  folks,  but  letting 
them  know  that  we’re  out  here  is  very  impor¬ 
tant,”  Trivisani  says.  She  also  organizes  edu¬ 
cational  sessions  for  the  university  groups  she 
works  with,  including  the  university  police 
department,  student  services,  the  legal  depart¬ 
ment  and  network  administrators  from  across 
the  university. 

Along  the  way,  GW  is  working  toward 
Level  3— the  level  recommended  for  univer¬ 
sities,  in  the  security  assessment  framework 
specified  by  the  National  Institute  of  Stan¬ 
dards  and  Technology.  “We’re  not  at  that  best 
practices  level,”  Swartz  says.  “We  aspire  to  be 
there.  At  some  point  you  go  too  far,  and 
there’s  a  negative  reaction.  They’re  all  tenured 
out  there.”  For  instance,  when  the  university 
started  mandating  password  changes,  “you 
would  have  thought  you’d  killed  their  dog 
given  the  way  they  reacted,”  he  says.  “It  was 
something  we  needed  to  do,  and  we  did  it, 
despite  the  political  reaction  to  it.  The  second 
time  there  was  less  reaction.  And  it  gets  eas¬ 
ier  each  time.” 


Not  a  Superpower 

As  people-focused  as  Trivisani  is,  her  casual 
style  makes  it  difficult  to  imagine  her  doing 
something  like  addressing  the  board  of  regents 
about  increasing  the  security  budget.  And 
while  she  spends  a  lot  of  time  educating  users 
about,  say,  logging  off  e-mail  when  they  leave 
the  computer  lab,  she  says  most  of  the  real 
security  problems  are  caused  by  people  outside 
the  university.  Maybe  she’s  playing  to  her 
strengths  by  focusing  on  student  and  staff  edu- 

we’re  here  to 
protect  them.” 

-KRIZI  TRIVISANI 

cation,  an  area  where  her  age  and  accessibility 
work  to  her  advantage.  Or  maybe  GW  is  illus¬ 
trating  just  how  far  the  CSO  role  has  to  go 
before  the  officer  quits  worrying  about  fire 
drills  and  takes  on  a  truly  strategic  position. 

Trivisani  insists  that  she  has  all  the  author¬ 
ity  she  needs.  “We’ve  been  building  really  good 
relationships  with  all  the  departments,”  she 
says.  “If  a  CSO  walks  onto  campus  and  basi¬ 
cally  says,  ‘I  am  God,  everybody  bow  down  and 
do  what  I  want  you  to,’  it’s  not  going  to  work.” 

The  question  is,  once  Trivisani  finishes  her 
degree— she’s  working  on  a  combined  bache¬ 
lor’s  of  business  administration  and  master’s 
in  information  systems  from  GW— will  the 
university  grow  the  job  with  her,  or  will  she  be 
tempted  back  into  a  more  lucrative  and  pow¬ 
erful  job  in  financial  services? 

“In  financial  services,  information  security 
has  all  the  authority  it  needs.  If  it  needs  some¬ 
thing,  it’s  done,”  she  says,  a  nod  to  the  fact  that 
sometimes  the  good  people  of  GW  just  don’t 
get  it.  “In  a  university,  we’re  about  balancing 
security  with  freedom  and  openness  and  shar¬ 
ing  ideas.  I  like  that.  I’ve  never  wanted  infor¬ 
mation  security  to  be  Big  Brother.”  ■ 

Sarah  D.  Scalet  is  a  senior  writer  for  CSO  magazine.  She 
can  be  reached  at  sscalet  ncxo.com. 


See  CSOonline’s  FUNDAMENTALS  OF 
SECURITY,  a  security  and  privacy  guide  that  is 
both  a  learning  tool  and  a  collection  of  the  best 
of  the  Web  as  evaluated  by  our  expert  editors. 

Go  to  www.csoonline.com/printlinks. 


60  www.csooniine.com  September  2002 


Stealth 
watch 

By  Lancope 

Advanced  Threat  Management 


T***  M* 

Sfieej j. 


Orc^j 


#  u. 


/WAjo^ 


Not  a  Wish  List.  A  Reality. 

Using  a  behavior-based  approach  to  intrusion  detection,  StealthWatch™  bridges  innovation  in 
security  technology  and  network  management  with  tangible  results.  Once  deployed, 
StealthWatch  prevents  known  and  unknown  external  threats,  as  well  as  misuse  from  within 
the  organization.  With  StealthWatch,  you  can  identify  vulnerabilities  that  contribute  to  lost 
productivity  and  network  downtime. 


Installed  on  the  networks  of  Fortune  1000  organizations  and  government  entities, 
StealthWatch  ensures  that  critical  assets  of  today’s  largest  enterprises  are  protected. 


Request  your  free  White  Paper,  "Security  Benefits  of  Behavior- Based  IDS"  at 
http://www.lancope.com. 


Register  for  the  free  Web  security  seminar  "Behavior- Based  IDS:  Navi%atin%  the  Unknown"  at 
http:  /  /www.  lancope.com/webinar. 


\i»W*\j&*  *** 

******* 


RaKI 


». 

. » -  -. 


■ 


JJV'  ^  2T3M 


pip 

- 


,;.,;-.vc.--  *•  .  -.331; 

-.•  ■  ii&Sgek 

'■■  -'MMw 
,■  •::r^atewte 


Use  a  password  to  protect  your  VPN  and 
your  critical  business  data  could  end  up  almost  anywhere. 


The  information  accessed  through  your  VPN  shouldn't  be  considered  banner  news.  But  too 
often,  it  is.  Because  the  only  thing  keeping  it  secure  is  a  single  password.  That  can  have 
damaging  effects  on  you,  your  customers,  your  partners,  even  your  bottom  line.  With 
the  RSA  SecurlD®  solution,  you'll  protect  your  critical  business  data  with  two-factor 
authentication,  securing  your  VPN  and  making  it  extremely  difficult  to  hack.  And  because 
major  VPN  providers  like  Checkpoint,  Nortel,  Lucent,  Cisco  and  dozens  of  others  design  their  VPNs  to 
work  with  RSA  Security,  you  can  be  sure  it  will  operate  simply  and  flawlessly  in  almost  any  environment. 

That  means  a  lot  less  worrying  about  where  your  confidential  information  might  show  up. 


To  receive  your  VPN  Security  Info  Kit  and  to  qualify  for  a  FREE  25-User  Trial  of  RSA  SecurlD 
two-factor  authentication,  go  to  www.rsasecurity.com/go/vpn-CSO.  Or  call  1-800-495-1095. 


SECURITY* 


The  Most  Trusted  Name  in  e-Security* 


IGITAL  SIGNATURES 


RSA  Security.  SecurlD  and  The  Most  Trusted  Name  in  e-Security  are  registered  trademarks  or  trademarks  of  RSA  Security  Inc.,  in  the  United  States  and/or  other  countries. 

©2002  RSA  Security  Inc.  All  rights  reserved 


Technologies,  Tools 
and  Tactics 

Edited  by  Derek  Slater 


Biometrics  Slouches 
Toward  the  Mainstream 

The  systems  are  getting  cheaper,  but  accuracy  and  acceptance  kinks  remain  By  Simson  Garfinkel 


ITH  FACE  RECOG- 
nition  systems  turning  up  in  airports,  palm 
geometry  scanners  installed  at  “secure”  Exo¬ 
dus  hosting  facilities,  and  Panasonic  selling 
the  Authenticam  iris  recognition  system  for 
less  than  $200,  biometrics  have  finally 
moved  from  the  laboratory  to  the  market¬ 
place.  Indeed,  the  International  Biometrics 
Group  pegs  the  market  at  $524  million  in 
2001,  growing  to  $729  million  in  2002.  But 
if  you  screen  out  the  hype,  you’ll  soon  dis¬ 
cover  that  few  of  those  applications  have  pro¬ 
gressed  beyond  technology  demonstrations 
and  early  adopters.  Having  lived  with  a  voice- 
print  lock  on  my  front  door  for  seven  years, 
I  have  a  few  words  of  advice  to  CSOs:  Step 
slowly  when  deploying  biometric  systems 
within  your  organization.  Instead  of  using 
biometrics  to  let  people  log  in  to  their  com¬ 
puter  systems,  start  by  using  them  to  control 
physical  access  to  buildings  and  high-security 
areas.  Finally,  make  sure  that  you  have  a 
backup  for  when  the  system  fails— because 
eventually,  it  will. 

Fingerprints  Everywhere 

As  the  name  implies,  biometrics  involves 
measuring  the  human  body.  In  theory,  any 
aspect  of  the  body  that  is  different  for  each 
person  and  that  can  be  consistently  meas¬ 
ured  can  serve  as  a  unique  identifier.  In  prac¬ 


tice,  the  biometrics  being  deployed  can  be 
packaged  into  readers  costing  $300  or  less, 
which  today  means  principally  fingerprint-, 
iris-  or  voice-recognition  systems. 

Automatic  fingerprint  identification  sys¬ 
tems  have  been  used  with  great  success  by  law 
enforcement  agencies  since  the  1980s.  Fin¬ 
gerprints  are  by  far  the  most  widely  used  bio¬ 


metric  today,  and  the  most  widely  respected. 
Most  people  take  it  as  a  matter  of  faith  that 
each  person  has  his  own  unique  fingerprint 
and  that  a  computer  can  rapidly  search  out 
one  person’s  fingerprint  from  a  database  of 
millions.  Indeed,  we  have  become  so  enam¬ 
ored  with  the  concept  of fingerprints  that  the 
word  is  popping  up  all  over:  DNA-based  iden- 


IlLUSTRATION  BY  ANASTASIA  VASILAKIS 


September  2002  www.csoonline.com  63 


Machine  Shop 


The  fingerprint  systems  developed  and 
refined  for  law  enforcement  are  not  the 
fingerprint  readers  that  are  making  their 
way  onto  desktop  computers. 


Badge  Cams 

Keith  Henson  wanted  to  solve  two  problems.  First, 
he  kept  losing  his  car  keys;  second,  he  kept  getting 
arrested. 

It  always  took  him  an  unreasonable  length  of  time 
to  find  his  car  keys.  And  whenever  he  got  arrested— 
four  times,  Henson  says,  for  picketing  at  properties 
belonging  to  the  Church  of  Scientology,  of  which  he 
is  an  ardent  foe— the  first  thing  the  police  would  do 
is  shut  off  his  video  camera. 

So  Henson  envisioned  a  way  to  record  the  events 
of  a  workday  by  capturing  it  in  video  frames  taken 
every  second  or  so:  the  Badge  Camera,  which  as 
the  name  implies  is  a  tiny  camera  inside  a  badge  or 
employee  ID  card.  Henson  sees  two  large  and  prom¬ 
ising  initial  markets:  police  departments,  of  course, 
and  airlines— mechanics  frequently  misplace  their 
tools,  and  looking  for  them  wastes  a  lot  of  time. 

But  for  the  time  being  he  is  concentrating  on  the 
police  market. 

After  the  notorious  Rodney  King  beating  at  the 
hands  of  Los  Angeles  police,  more  and  more  depart¬ 
ments  installed  video  cameras  in  police  cruisers. 
Henson  sees  the  Badge  Camera  as  the  next  logical 
step.  His  economic  argument:  The  liability  cost  of 
recent  police  misconduct  in  the  city  of  Los  Angeles 
amounted  to  $20,000  for  every  officer  the  city 
employs,  Henson  says;  Badge  Cameras  could  power¬ 
fully  deter  bad  cop  behavior  and  also  provide  conclu¬ 
sive  evidence  to  refute  bogus  claims  of  police 
misconduct. 

The  units-still  under  development,  and  Henson 
is  looking  for  backers— will  retail  for  between  $800 
and  $1,000  each,  says  Henson.  The  most  expensive 
element  of  the  device  is  the  flash  memory  card,  but 
each  unit  also  requires  a  docking  station  through 
which  the  day’s  captured  images  are  downloaded  at 
the  end  of  each  shift.  And  a  complete  system  re¬ 
quires  massive  infrastructure  for  storing  archival 
data.  (Henson  estimates  that  a  department  the  size 
of  the  LAPD  would  generate  the  equivalent  of  1,600 
DVDs  worth  of  content  every  three-shift  day.) 

Anyone  interested  in  backing  Henson  these  days 
will  have  to  travel  to  Canada.  After  being  convicted 
of  a  misdemeanor  count  of  interfering  with  the 
practice  of  a  religion-and,  he  says,  fearful  of  his  foes 
attacking  him  in  jail— he  fled  north  before  sentencing. 

-Lew  McCreary 


tification  systems  are  known  as  DNA  fin¬ 
gerprinting ;  and  the  MD5  message  digest 
code  is  commonly  referred  to  as  the finger¬ 
print  for  a  file. 

But  it’s  important  to  realize  that  the 
fingerprint  systems  that  have  been  devel¬ 
oped  and  refined  for  law  enforcement  are 
not  the  fingerprint  readers  that  are  mak¬ 
ing  their  way  onto  desktop  computers. 
Law  enforcement  agencies  use  trained 
technicians  to  record  fingerprints  with 
ink  and  paper  on  10-print  cards;  those 
cards  are  then  digitized  using  an  optical 
scanner  and  analyzed  using  proprietary 
algorithms.  Pen-and-ink  systems  obvi¬ 
ously  can’t  work  in  a  corporate  desktop 
environment,  so  a  number  of  companies 
have  tried  to  create  so-called  “live-scan” 
readers  that  will  scan  a  fingerprint  directly 
from  a  finger  into  the  computer.  The 
catch:  Those  readers  don’t  work  for  every¬ 
body.  “Many  live-scan  fingerprint  readers 
have  a  hard  time  getting  a  good  finger¬ 
print  on,  for  example,  people  who  have 
dry  skin,”  says  Charles  Wilson,  a  biomet¬ 
ric  expert  at  the  National  Institute  of 
Standards  and  Technology.  Those  readers 
can  also  fail  with  thin  skin  or  shallow 
ridges— traits  common  among  the  eld¬ 
erly.  Depending  on  the  reader,  roughly 
one  person  in  1,000  may  not  scan  suc¬ 
cessfully. 

Iris  identification  is  even  more  accu¬ 
rate  than  fingerprints,  thanks  to  the 
tremendous  detail  and  variation  in  each 
person’s  eyes.  However,  there  is  again  a 
small  percentage  of  people  who  cannot 
use  those  systems,  because,  for  example, 
of  an  inability  to  stabilize  their  iris,  says 
James  L.  Wayman,  director  of  Biometric 
Research  at  San  Jose  State  University. 

Biometrics  can  also  be  fooled  by  sud¬ 
den  changes  in  a  person’s  body— cut  your 
finger,  and  you  might  not  be  able  to  log 
in.  For  all  of  those  reasons  and  many 
more,  every  biometric  that’s  deployed  in 
a  real-life  setting  needs  to  have  some  kind 


of  back  door  to  let  people  in  who  can’t,  for 
whatever  reason,  properly  authenticate. 

Authentication  Vs.  Identification 

Biometrics  can  be  used  in  two  different 
ways.  The  technology  can  be  used  to 
authenticate  an  individual  by  comparing 
a  biometric  reading  from  a  person  with  a 
single  stored  template,  the  so-called  “one- 
to-one”  application.  A  biometric-enabled 
ATM  might  check  to  see  if  the  iris  of  the 
person  who  is  trying  to  withdraw  money 
matches  the  iris  for  the  account  holder 
that’s  on  file.  Used  in  this  manner,  bio¬ 
metrics  can  be  exceedingly  accurate— 
especially  if  it  is  used  in  conjunction  with 
a  second  factor,  such  as  a  smart  card,  PIN 
or  password. 

Alternatively,  biometrics  can  be  used  to 
identify  a  person  from  a  database  of  thou¬ 
sands  or  millions— the  so-called  “one-to- 
many”  application.  This  is  the  way  that 
biometric  face  ID  systems  from  compa¬ 
nies  such  as  Viisage  and  Visionics  (now 
called  Identix)  are  being  used  at  airports 
to  scan  for  known  terrorists.  The  com¬ 
puter  has  a  database  of  known  bad  guys, 
and  it  consults  the  entire  database  as  each 
potential  traveler  walks  by.  Those  systems 
are  inherently  less  accurate  than  one-to- 
one  because  the  chances  of  a  mismatch,  or 
“false  positive,”  are  proportional  to  the 
size  of  the  database. 

On  the  surface,  biometrics  seem  like 
the  perfect  tools  for  authenticating  com¬ 
puter  users.  Unlike  passwords,  a  bio¬ 
metric  print  can’t  be  forgotten— no  more 
passwords  written  on  yellow  sticky 
notes— and  bioprints  can’t  be  shared,  sold 
or  stolen  by  social  engineering.  Indeed, 
that’s  one  of  the  reasons  that  I  bought 
an  ECCO  voice-print  lock  for  my  front 
door:  I  was  renting  out  a  spare  room  in 
the  house,  and  with  the  biometric  reader, 
I  never  had  to  change  my  house’s  locks. 

But  biometrics  are  not  foolproof:  A 
person’s  bioprint  can  be  captured,  copied 


64  www.csoonline.com  September  2002 


and  then  fraudulently  submitted  for  ver¬ 
ification.  For  this  reason,  readers  need 
to  have  some  sort  of  built-in  security  to 
make  sure  that  they  are  actually  per¬ 
forming  a  live  scan;  encryption  should 
be  used  to  protect  data  as  it  travels  from 
the  reader  to  the  database;  and  the  veri¬ 
fication  software  should  reject  attempts 
that  are  too  close  a  fit.  Meanwhile,  expe¬ 
rienced  biometric  scientists  know  that 
they  should  never  use  a  fingerprint  scan¬ 
ner  that  doesn’t  have  a  pulse  detector  or 
some  other  way  to  detect  the  culpable 
use  of  a  severed  digit. 

Be  very  wary  if  you  hear  a  company 
boasting  about  its  system  for  “biometric 
encryption.’’  Because  a  biometric  print 
will  never  read  exactly  the  same  way 
twice,  biometric  encryption  systems  need 
some  form  of  error  correction  so  that 
encrypted  data  can  actually  be  decrypted 
at  a  later  point  in  time.  This  error  cor¬ 
rection  makes  it  easier  for  an  attacker  to 
“guess”  the  correct  encryption  key,  since 
a  close  guess  will  be  corrected.  An  even 
bigger  problem  with  those  systems:  If 
your  key  is  compromised,  there  is  no  way 
to  change  your  fingerprint. 

Better  for  Doors  Than  Windows 

That’s  why  I’m  a  big  fan  of  using  bio¬ 
metrics  for  physical  access  control— such 
as  the  front  door  lock  that  I  had  for  so 
many  years.  Besides  preventing  people 


from  sharing  or  duplicating  keys,  the  lock 
made  it  clear  to  visitors  that  I  took  secu¬ 
rity  seriously. 

Deploy  a  fingerprint-based  time-card 
reader  at  a  supermarket  and  you  can  be 
sure  that  clerks  won’t  be  punching  each 
other’s  time  cards.  Likewise,  a  hand 
geometry  reader  installed  at  an  airport 
will  prevent  an  $  8/hour  employee  from 
giving  the  access  code  to  a  terrorist  or 
selling  a  card  for  a  few  thousand  dollars 
(and  then  reporting  the  card  “lost”  a  few 
hours  later).  Even  better,  those  systems 
are  sold  today  as  sealed,  stand-alone 
units,  which  makes  them  both  more  reli¬ 
able  and  more  resistant  to  attack  than 
bioprint  readers  on  Internet-connected 
computers. 

Within  the  coming  months,  expect  to 
see  live-scan  fingerprint  readers  turning 
up  in  laptops  and  cell  phones.  Integra¬ 
tion  done  by  the  manufacturer  will  reduce 
cost— ultimately  to  $25  or  less— and  in¬ 
crease  the  chances  that  those  systems  will 
actually  work  as  intended.  If  they  do,  and 
if  they  are  accepted  by  end  users,  then 
biometrics  might  take  off  in  the  coming 
years.  If  not,  biometrics  will  probably  be 
sent  back  to  the  labs  for  another  decade  of 
R&D.  ■ 

Simson  Garfinkel,  CISSP,  is  a  technology  writer  based 
in  the  Boston  area.  He  is  also  CTO  of  Sandstorm  Enter¬ 
prises,  an  information  warfare  software  company. 


RESEARCH  REPORT  VULNERABILITY  MANAGEMENT 


The  Weakest  Link  Energy  companies  trail  other  sectors  in  managing  IT  systems 
vulnerabilities,  which  bodes  ill  for  our  critical  infrastructure.  Survey  respondents  say. . . 


Auto/ 

Manuf. 

Energy 

Financial 

Services 

Life 

Sciences 

Tech/ 

Media 

Telecom 

We  can  identify/track  vulnerabilities  and 
measure  compliance 

27% 

9% 

13% 

30% 

24% 

20% 

We  have  wide-scale  vulnerability  tracking; 
knowledge  of  all  critical  infrastructure 
vulnerabilities 

9% 

9% 

37% 

10% 

12% 

20% 

Vulnerability  management  info  is  obtained/ 
administered  on  a  periodic  basis 

46% 

64% 

31% 

40% 

34% 

60% 

Vulnerability  management  is  ad  hoc  and 
handled  by  IT  or  security  staff  alone 

18% 

0% 

19% 

20% 

18% 

0% 

Vulnerability  management  has  not  been 
addressed 

0% 

18% 

0% 

0% 

12% 

0% 

SOURCE:  ERNST  8.  YOUNG  SURVEY  OF  91  FORTUNE  500  COMPANIES 


Steganography 

Tools 

In  July,  prominent  hacker  groups  went  on  the  equiva¬ 
lent  of  a  media  tour,  promoting  newly  developed 
steganography  tools:  Camera/Shy  (from  Hack- 
tivismo)  and  Peekabooty  (from  the  Cult  of  the  Dead 
Cow).  Coverage  showed  up  in  mainstream  news 
sources  such  as  USA  Today. 

Steganography  hides  additional  information 
within  an  image  file.  So,  for  example,  a  website  .jpeg 
file  could  also  include  an  encrypted  text  message, 
invisible  to  the  naked  eye,  and  extractable  only  by 
viewers  with  the  correct  software  and  key. 

Hacktivismo  says  Camera/Shy  is  intended  to  allow 
democracy  activists  in  totalitarian  countries  to  post  or 
view  banned  Internet  content  without  detection  by 
government  authorities.  Of  course,  the  name  Peeka¬ 
booty  implies  other,  perhaps  less  noble  uses.  The 
most  common  fear,  though,  is  that  these  tools  will 
provide  terrorist  groups  with  electronic  communica¬ 
tions  that  can’t  be  broken— because  the  governments 
attempting  to  stop  them  won’t  even  know  the  mes¬ 
sages  are  being  transmitted. 

Terrorist  fears  aside,  steganography  has  plenty 
of  useful  applications.  “It's  important  to  remember 
how  valuable  this  kind  of  watermarking  could  be  for 
Hollywood  and  other  content  providers,”  says  Peter 
Wayner,  author  of  the  steganography  primer  Disap¬ 
pearing  Cryptography.  Steganography  could  encapsu¬ 
late  copyright  and  ownership  information  within  video 
or  sound  files,  Wayner  notes.  "It  could  help  enable  a 
good  compromise  that  builds  a  reasonably  priced 
Napsterlike  system  for  supporting  the  artists.  At  least 
that’s  my  hope.  Lord  knows  [the  media  companies] 
could  mess  it  up  too.” 

Although  steganography  tools  have  been  around 
for  a  while,  Wayner  expects  Camera/Shy  and  Peeka¬ 
booty  will  help  popularize  steganography,  in  part 
because  they  are  relatively  easy  to  use. 

-Derek  Slater 


September  2002  www.csoonline.com  65 


Double-Edged 

Success 

My  company  has  budgeted  enough  money  so  that  security 
just  hasn’t  been  an  issue.  Yet.  And  therein  lies  the  problem. 

By  Anonymous 


AM  A  VICTIM  of  my  own  success. 

You  see,  I’ve  done  a  good  job  as  the  CSO  of  a  major  corporation.  And  because 
I’ve  done  my  job  so  well,  my  company  hasn’t  suffered  any  major  attacks.  But 
then— precisely  because  I’ve  done  my  job  so  well— no  one  sees  the  real  value  in  the 
day-to-day  security  operations  that  keep  the  company  safe.  It’s  the  quintessential 
thankless  job. 

So  now  the  company’s  CIO  wants  to  cut  my  budget.  “There’s  not  much  we  can 
do  about  it,”  he  says.  “We’re  cutting  budgets  across  the  board.  Why  are  you  so 
uptight?” 

“Because  when  you  cut  back  on  your  budget,  you  have  some  wig¬ 
gle  room.  You  can  cut  things  that  are  not  so 
vital.  We  just  get  slower  laptops.  Or  maybe  we 
don’t  get  the  upgrades  to  existing  systems  we 
want,”  I  observe.  “But  when  I  cut  back  on  the 
security  budget,  I  put  the  whole  company  at 
risk.  If  I  don’t  have  the  people  and  the  tech¬ 
nology  to  detect  attacks— or  if  I  lose  the  funds 
to  implement  protective  systems  to  keep  new 
attacks  away— we  can  be  taken  down  to  the 
pavement  in  very  short  order.” 

“Well,  still,”  he  says  dismissively,  “you’ll  just 
have  to  cut  back  like  the  rest  of  us  and  do  less.” 

And  that,  as  they  say,  is  that. 

Oh,  sure,  I  could  quote  to  him  all  kinds  of  sta¬ 
tistics  about  what  happens  during  an  attack.  I 
could  talk  about  the  financial  decimation  that 
can  level  a  company  that  has  been  attacked.  I 
certainly  know  where  to  get  the  latest  CERT 
Coordination  Center  statistics  that  show  how 
attacks  have  quadrupled  since  2000.  I  sub¬ 
scribe  to  all  the  standard  trade  publications, 
have  access  to  the  I  DC  reports  database  and 
read  all  the  industry  analyst  reports.  I  have  the 


l.oo 


0  $265,609. 

000. 


o 


OO' 


oo  $2.500.oo  I30.00.OO  $ 


mm 


'/>/  ■  r/  i 


ff^rA 


FBI  and  Computer  Security  Institute  annual  survey.  I  attend  conferences  spon¬ 
sored  by  the  Information  Systems  Audit  and  Control  Association,  the  Institute  of 
Internal  Auditors  and  Internet  Security  Alliance.  Heck,  I  talk  to  other  CSOs  who 
have  been  attacked.  I  know  the  situation  with  security  attacks  is  bad,  and  I  know 


it’s  getting  worse.  I  know  that  my  company  could  be  next 
in  line. 

And  yeah,  I  have  done  the  management  education 
thing.  I’ve  thrown  the  “Do  you  see  how  much  we  spent  to 
fix  the  crisis?”  question  at  them.  I’ve  used  various  pene¬ 
tration  analyses  to  demonstrate  how  we  can  get  bounced. 

But  no  one  here  listens.  That  is,  until  something  ugly 
pops  up  and  causes  a  major  security  event  to  occur.  Then, 
of  course,  all  bets  are  off.  Management  points  fingers  and 
demands  security  assistance.  Employees  try  to  affix  blame 
on  the  security  department  for  the  lack  of  care  and  feed¬ 
ing.  Probably— way  deep  down— everyone  realizes  that  it’s 
not  our  fault.  But  someone  has  to  take  the  blame. 

Isn’t  it  ironic? 

Which  brings  me  to  yet  another  irony.  If  a  security 
event  happens,  it  is  most  likely  due  to  an  employee  who 
didn’t  follow  the  rules  and  put  illegal  systems  on  the  net¬ 
work  with  external  connections  that  allowed  a  hacker 
access  to  the  internal  network.  But  all  that  is  cast  aside 
after  the  crisis  happens.  You  sit  knowing  that  had  a 
budget  been  approved  that  allowed  you  to  buy  the  scan¬ 
ning  tool  you  needed  to  find  the  illegal  box  in  the  first 
place,  the  event  would  never  have  happened. 

And  then  here’s  the  final  insult:  Even  if  you  had  pre¬ 
vented  the  illegal  box  from  being  on  the  net¬ 
work,  no  one  would  have  known  about  how  you 
intercepted  it  in  the  first  place. 
No  one  would  have  appreci¬ 
ated  the  fact  that  an  event 
could  have  occurred  through 
that  entry  point.  It’s  a  vicious 
cycle.  If  you  start  with 
enough  money  to  prevent 
the  attacks  from  happening, 
then  on  the  next  go-round 
your  budget  gets  cut  because 
the  value  of  applying  technol¬ 
ogy  to  stop  the  attacks  is  long 
forgotten  by  senior  manage¬ 
ment.  It  may  not  be  irony,  per 
se,  but  it’s  a  damn  shame. 

I  really  find  it  frustrating 
that  when  a  real  crisis  hap¬ 
pens,  we  seem  to  spend  more 
money  on  dealing  with  the 
issue  at  hand  than  we  would 
have  spent  implementing  the 
technologies  to  stop  the  crisis 
from  happening  in  the  first 
place.  I’ve  brought  that  up  time  and  time  again,  but  once 
the  crisis  is  over,  corporate  fixations  are  on  other  areas 
that  demand  money  that  are  unrelated  to  the  security 
issues.  “We’ll  pay  for  it  if  we  need  to  and  only  if  we  get  hit 


k 


i08,900.oo 


;000.oo  $  1 1 
;.200.«o  $85 


66  www.csoonline.com  September  2002 


ILLUSTRATION  BY  MARTIN  O’NEILL 


MERGER 

PLANS 


IM  Corporation.  All  rights  reserved. 


Tivoli 


software 


SECURITY 

MANAGEMENT 

PLAY 


1  ]  WIN  WITH  SECURITY:  It  isn’t  always  about  hackers,  e-business 
security  must  also  ensure  that  only  the  right  users  (within  and 
outside  of  your  company)  get  the  right  information  at  the  right  time. 

2]  WIN  WITH  TIVOLI:  Whether  it’s  granting  access  to  customers  or 
CEOs  on  PDAs, Tivoli  Security  Management  software  centrally 
secures  and  manages  your  network  across  multiple  platforms. Tivoli. 
Part  of  our  software  portfolio  including  DB2f  Lotus®  and  WebSphere® 

3]  MAKE  THE  PLAY:  Visit  ibm.com/tivoli/secure  for  a  white 
paper  on  how  Tivoli  Security  Management  can  maximize  your  ROI. 


@  business  is  the  game.  Play  to  win. 


narks  of  International  Business  Machines  Corporation  in  the 


\&>.  ■ 

■  ' 

i#’ 

m 


ERP  and  CRM 


Peer  Review 


Enterp 

as  Only 


The  lllilh  About 

rise  Software... 


Only  Your  Peers  Can  Tell  It. 

Trying  to  take  the  guesswork  out  of  implementing  an  ERP  or 
CRM  application  may  seem  like  an  impossible  task.  Between 
evaluating,  negotiating,  budgeting,  selecting,  and  executing 
the  plan,  the  "unknowns"  can  seem  daunting,  and  the  process 
never-ending. 


Included  Are: 


*'■  Your  peers  grade  the  big 
4  ERP/CRM  vendors'  performance  on 
features,  ROI,  software  quality,  ease  of 
integration,  and  vendor  services. 


Reviews  of  the  vendors  and 


TURN  TO  YOUR  PEERS  — who  have  walked  this  path  before 
you— for  advice.  The  2002  ERP  and  CRM  Vendor  Scorecard 
from  Peerstone  Research  captures  the  challenges,  benefits, 
and  advice  from  the  true  experts  — 163  Enterprise  Application 
users  — real  practitioners  whose  experience  will  help  you  make 
the  right  decision  for  your  enterprise. 

For  only  $795,  the  2002  ERP  and  CRM  Vendor  Scorecard  is 

delivered  right  to  your  desktop  giving  you  immediate  access  to 
the  information  you  need.  Looking  for  peer-based  ratings  for 
enterprise  software  Systems  Integrators?  See  our  companion 
report,  the  2002  Systems  Integrator  Scorecard.  Printed 
copies,  volume  pricing  and  site  licenses  available  — see  our  web 
site  for  more  information. 


verbatim  comments  from  your  peers  — 
both  pro  and  con— for  each. 


Find  out  what  your  peers  are 
saying  about  enterprise  applications' 
ability  to  create  value,  how  to  derive  the 
maximum  benefit  from  ERP  or  CRM,  and 
all  the  other  implementation  questions 
keeping  you  up  at  night. 


V  X 

§§arafcgj|£ai  *V. 

2002 

ERRndCRM 
Vendor 
. . Scorecard 

The  TruWi  A)v-.«  ‘wiftwan* 

i*x  Only  Yi*/ ftu.Fk  Can  triUi 

Peer 

rimanch 


RESEARCH 

In  association  with  CXO  Media  Inc.,  publisher  of  CIO  and  Darwin  magazines 


FOR  EXECUTIVE  DECISION  SUPPORT  TOOLS,  VISIT  THE  CIO  STORE-THE  CIO’S  KNOWLEDGE  MARKETPLACE 

www.theCIOstore.com 


CSO  Undercover 


If  you  start  with  enough  money  to 
prevent  the  attacks  from  happening,  then 
your  budget  gets  cut  because  the  value  of 
applying  technology  to  stop  the  attacks  is 
long  forgotten  by  senior  management. 


badly,”  they  say. 

Sigh. 

You  can  tell  me  that  it’s  all  in  a  day’s  work 
of  managing  security.  That  other  CSOs  run 
into  the  same  problem  over  and  over  again. 
Maybe  it’s  so,  and  intellectually,  I  even 
understand  it  (to  an  extent).  But  that  doesn’t 
mitigate  my  frustration.  Nor.  does  it  reduce 
the  risk  to  my  company.  I  seriously  thought 
about  including  a  certain  amount  of  fluff  in 
my  budget  so  that  the  cutbacks  wouldn’t  hurt 
so  much,  but  hey,  I’m  a  security  guy.  Not 
only  am  I  a  little  paranoid;  I'm  also  painfully 
ethical,  or  I  wouldn’t  be  in  this  business  to 


begin  with.  Such  creative  budgeting  tech¬ 
niques  make  me  chafe  in  places  where  relief 
is  not  possible. 

Still,  I  wish  I  had  a  solution  to  this  dilemma. 
A  friend  suggested  that  I  start  up  a  bait  store. 
I  mean,  we  all  have  to  eat,  and  bait  usually 
doesn’t  talk  back.  He  may  be  on  to  something. 
Except  with  my  paranoid  nature,  I’d  proba¬ 
bly  begin  to  think  that  the  fish  were  up  to 
something. 

Another  friend  of  mine,  who  works  for  a 
security  company  and  has  spent  many  years 
training  consultants,  says,  “Sometimes  you 
have  to  let  the  train  wreck  happen  to  con¬ 


vince  management  of  the  errors  of  their 
ways.”  I  suppose  that  when  it  comes  to  budg¬ 
etary  issues,  letting  the  train  wreck  happen 
means  not  being  able  to  prevent  every 
security  event  from  occurring.  Hopefully,  the 
train  wreck  won’t  be  too  bad  when  it  does 
happen.  And  it  will  be  seen  by  management 
as  a  wake-up  call  to  instill  the  necessary 
budget  required  to  keep  such  events  from 
happening  in  the  future.  Until  the  next  fiscal 
year,  anyway. 

In  the  meantime,  I  suppose  I  will  sit  back 
down  with  my  spreadsheets  and  try  to  figure 
out  which  risks  are  less  damaging  than  oth¬ 
ers.  While  I’m  at  it,  I  might  as  well  get  com¬ 
fortable  with  the  same  old  laptop  that  I’ve 
had  for  the  past  two  years.  It  looks  as  if  I’ll  be 
living  with  it  a  bit  longer.  ■ 

This  column  is  written  anonymously  by  a  real  CSO  at  a 
major  corporation.  For  reader  feedback,  e-mail  us  at 
csoundercover@cxo.com. 


It’s  a  fact;  Networks  grow  and 
proliferate  every  day — with  or  with¬ 
out  your  knowledge.  Exposing  your 
company  to  unknown  and  unseen  risks. 
Lumeta  is  the  only  technology  that 
comprehensively  discovers  and  defines 
your  IP  infrastructure  so  you  can  spot 
risks  and  vulnerabilities  before  they  turn 
into  problems — or  even  disasters. 

Visit  our  website  a#  ITvT P/ifl 

J  and  get  a 

free  whitepaper  “Manage  and  Secure 
Your  Entire  Network." 

You  r.eed  to  know  what’s  lurking  on 
your  network. 


Lumeta's  mapping  of  this  Fortune 
200  enterprise  uncovered  legacy 
partnership  links  (red)  that  should 
have  been  terminated  years  ago. 


YOU  CANT 
SECURE  WHAT 
IggYOU  DON’T 
rlZ  KNOW.. 


http://www. 


lumeta.corn/pcCS00902 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


Sales  and  Services 

CIO  Sales  Offices 

President  &  CEO 

Joseph  L.  Levy  •  508  935-4601 

Group  Publisher 

Gary  J.  Beach  •  508  935-4202 

Publisher  Bob  Bragdon  •  508  935-4443 

Executive  VP  Sales/Custom  Publishing 

Ellen  Romanow  •  508  935-4796 

East  Coast 

Senior  VP  Sales/East 
Michael  J.  Masters  •  973  244-4040 
Eastern  Regional  Sales  Manager 
Paul  Reiss  •  508  935-4163 
Senior  Regional  Manager 
Kathy  Powers  •  973  244-4041 
Regional  Sales  Manager 
Ellie  Schwab  •  973  244-4042 
Account  Executives 
Joan  Bonadeo  •  973  244-4043 
Gale  Tedeschi  •  973  244-4031 
Advertising  Sales  Associates 
Rhonda  Goodman  •  973  244-4033 
Sharon  Patrick  •  973  244-4044 

New  England 

Senior  Regional  Manager/Advertising  Sales 
Len  Ganz  •  508  935-4039 
Account  Executive  Kim  Harris  •  508  935-4068 
Senior  Advertising  Sales  Associate 
Dawn  Cora  •  508  935-4092, 

Fax  508  879-6063 

Mid-Atlantic 

Senior  Regional  Manager/Advertising  Sales 

Louise  Cupelli  •  215  627-8114 

Account  Executive 

Maureen  Welsh  •  215  627-8114 

Advertising  Sales  Associate 

Meredith  Hagan  •  215  627-8114 

Midwest 

Regional  Director 
Robert  E.  Sawdon  •  512  306-9801 
Regional  Sales  Manager 
Christopher  Nolan  •  847  441-5005 
Account  Executive 
Beth  Carlson  •  847  441-3140 
Advertising  Sales  Associate 
Brenda  Garza  •  512  306-9801, 

Fax  512  306-9805 
Advertising  Sales  Associate 
Kim  Giovanni  •  847  441-5005 

West  Coast 
VP  Sales/West 

Cheri  McKeithan  •  415  975-2685 

Senior  Regional  Manager/Advertising  Sales 

Jane  Evans  •  415  975-2680 

Regional  Manager/Advertising  Sales 

Ai  Collins  •  415  975-2686 

District  Manager 

Kristin  Nystrom  •  415  975-2687 

Account  Executive  Jeff  Odell  •  415  975-2682 

Senior  Advertising  Sales  Associate 

Derek  Jung  •  415  975-2683 

Advertising  Sales  Associate 

Tom  Ocampo  •  415  975-2693 

Southern  California 

District  Sales  Manager  Chris  Bramel  • 

949  475-5579 

Sales  Associate  Isaac  Ugay  •  949  475-5579, 
Fax  949  475-5583 


List  Services 

List  Services  Director 

Kathryn  A.W,  Marston  •  508  935-4072 

List  Services  Account  Executive 

Stephanie  Roy  •  508  935-4151 

List  Services  Coordinator 

Kim  Cormican  •  508  935-4152 

Online  Services 

VP/Online  Sales 

Lisa  Brown  •  508  935-4470 

Online  Sales  Mgr. 

Michael  McPhee  •  508  935-4611 

Custom  Publishing 

Group  Director  Michael  Siggins 
Director  Mary  Gregory 
Director  of  Content  Development  Tom  Field 
Project  Manager  Amy  Greenleaf 
Graphic  Designer  Chris  Brown 

Production 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Lee  Tuttle 
Ad  Production  Coordinator  Lisa  Stevenson 

Executive  Programs 

VP  and  General  Manager  Ronald  L.  Milton 
VP,  Event  Marketing  Cynthia  Mollus 
Director,  Marketing  Services 
Shellie  Rapson  James 
Director  of  Sales  John  Amato 
Manager,  Program  Operations  Brian  Fuce 
Manager,  Procurement/Tech.  Planning 
Cynthia  Laird 

Manager,  Program  Development 
Sherry  Keyles 

Event  Development  Specialist 
Sandra  J.  Hughey 
Program  Applications  Specialists 
Heather  Beauton  (Senior) 

Leah  Graves  (Assoc.) 

Senior  Program  Marketing  Specialist 
Karen  Peabody 

Operations  Coordinator  Michael  Barbato 
Fulfillment  Services  Coordinator 

Andrea  Slobogan 

Manager,  Event  Planning  Amy  Turell 

Marketing 

Executive  VP/Marketing 
Cathy  O'Leary  Hayes 

VP/News  and  Information  Susan  Watson 
Media  Relations  Manager  Karen  Fogerty 
News  and  Information  Assistant 
Lori  Piscatelli 

Marketing  Research  Director 
Bridget  Cammarata 
Marketing  Research  Manager 
Carolyn  Johnson 
Sr.  Marketing  Research  Analyst 
Dylan  DiGregorio 

Marketing  Comm.  Director  Sue  Yanovitch 
Sr.  MarCom  Development  Specialist 
Kari  Curto 

Marketing  Comm.  Coordinator 

Sarah  Crowley 

Reprint  Services 

For  article  reprints,  please  contact  Reprint 
Services  at  651  582-3800  or  e-mail 
csoreprints@reprintservices.com. 

For  further  sales  information,  visit 
www.csoonline.com/marketing/saies.html. 


Index  of 
Companies  and 
Advertisers 

Page  numbers  refer  to  the  first  page  of  the 
article(s)  in  which  the  company  is  men¬ 
tioned.  This  index  is  provided  as  a  service  to 
readers.  The  publisher  does  not  assume  any 
liability  for  errors  or  omissions. 


Company  Index 

American  Red  Cross,  The  . 40 

Cable  &  Wireless,  USA  . 34 

Exodus  . 63 

Forrester  Research  Inc . 15 

Gartner  . 40 

General  Motors  Corp . 34 

George  Washington  University,  The  . 56 

Giga  Information  Group  Inc . 40 

Hurwitz  Group  . 15 

Identix  Inc . 63 

International  Biometric  Group  . 63 

International  Data  Corp . 40 

Kroll  Inc . 40 

Merrill  Lynch  &  Co.  Inc . 34 

Microsoft  Corp . 15 

Motorola  Inc . 34 

OppenheimerFunds  Inc . 30 

Oracle  Corp . 15,  34,  40 

Panasonic  USA  . 63 

Pemco  Financial  Services  . 40 

Real  User  Corp . 15 

Ropes  &  Gray  . 15 

Sans  Institute,  The  . 56 

Sprint  Corp . 40 

Symantec  Corp . 15 

Travelers  Insurance  . 34 

Viisage  Inc . 63 

Weidlinger  Associates  Inc . 15 

Advertiser  Index 

ADT . 31 

Computer  Associates  Inti.  Inc . 5 

CyberGuard  Corp . 23 

Digital  ID  World  Conference  . 21 

Fiberlink  . C3 

Genuity  . 71 

Group  Technologies  . 53,  55 

IBM  Corp . 8,  67 

Lancope  Inc . 61 

LG  Electronics  USA  Inc . 14 

LJ  Kushner  &  Associates  LLC  . 25 

Lumeta  . 69 

Netscreen  . 11 

OKENA  . 33 

Peerstone  Research  . 68 

PentaSafe  . C4 

Quadrasis  . 27 

RSA  Security  Inc . 62 

SAW  IS  . 13 

ServerVault  . 7 

Stevens  Institute  of  Technology  . 49 

Symantec  Corp . 2 

Tipping  Point  T echnologies  . C2 

Trend  Micro  Inc . 28 


CSO  Contact 
Information 

Editorial,  Advertising  and  Business  Offices 

492  Old  Connecticut  Path,  PO.  Box  9208, 
Framingham,  MA  01701-9208,  508  872- 
0080. 

Postal  Information 

CSO  (ISSN  1540-904x)  is  published 
monthly  by  CXO  Media  Inc.,  492  Old 
Connecticut  Path,  PO.  Box  9208, 
Framingham,  MA  01701-9208.  Application 
to  mail  at  Periodicals  postage  rate  is 
pending  at  Framingham,  MA  01701,  and  at 
additional  mailing  offices. 

Permissions 

Copyright  2002  by  CXO  Media  Inc.  All  rights 
reserved.  Reproduction  of  material  appear¬ 
ing  in  CSO  is  forbidden  without  written  per¬ 
mission.  Send  all  requests  to  Permissions 
Department,  CSO,  492  Old  Connecticut 
Path,  P.0.  Box  9208,  Framingham,  MA 
01701-9208. 

Photocopy  Rights 

Permission  to  photocopy  for  internal  or  per¬ 
sonal  use  or  the  internal  or  personal  use  of 
specific  clients  is  granted  by  CSO  for  users 
through  the  Copyright  Clearance  Center, 
provided  that  the  base  fee  of  $3  per  copy  of 
the  article,  plus  $.50  per  page  is  paid 
directly  to  Copyright  Clearance  Center,  27 
Congress  Street,  Salem,  MA  01970.  Please 
specify:  ISSN  1540-904x.  Permission  to 
photocopy  does  not  extend  to  contributed 
articles  followed  by  this  symbol: 

Subscriptions 

Address  inquiries  to  CSO,  P.O.  Box  3482, 
Northbrook,  IL  60065;  866  354-1125.  CSO  is 
free  to  qualified  information  executives.  To 
all  others  the  one-year  basic  rate  is  $64.95 
for  the  United  States  and  Canada,  $105  to 
foreign  countries  (payable  in  U.S.  funds 
only).  The  single  copy  price  is  $6.95.  Please 
allow  four  to  six  weeks  for  new  subscrip¬ 
tions  to  begin. 

Change  of  Address 

Please  go  to  www.omeda.com/custsrv/cso 
and  follow  the  online  instructions. 

Postmaster 

Send  change  of  address  to  CSO,  P.O.  Box 
3482,  Northbrook,  IL  60065.  Printed  in  the 
USA. 


70  www.csoonline.com  September  2002 


©  Copyright  2002.  Genuity  Inc.  All  rights  reserved.  GENUITY  and  Design  are  trademarks  of  Genuity  Inc. 


Internet  SECURITY 


vs.  MANAGED  Internet  SECURITY 


These  days,  you've  got  to  go  beyond  VPNs,  firewalls  and 
access  control  solutions  to  keep  your  data  secure.  You  need  to 
actively  manage  every  square  inch  of  your  network  infrastruc¬ 
ture.  Going  it  alone  is  not  the  best  option.  Going  with  Genuity  is. 

We  have  the  critical  technology  you  need  to  keep  your 
data  secure.  Genuity  integrates  managed  security  technology 
with  our  full  portfolio  of  managed  Internet  services  including: 
dedicated  and  broadband  access,  Voice  over  IP  and  Web 
hosting  to  provide  converged  voice  and  data  solutions.  And  it 
all  sits  on  our  Tier  1  IP  network  for  secure  communication  from 


virtually  anywhere  in  the  world. 

But  technology  is,  of  course,  only  part  of  the  story.  You  need 
the  right  people,  too.  Our  experts  actively  manage  and  maintain 
your  network.  We  live  and  breathe  network  security,  24x7x365. 
We  monitor  your  network  perimeter  for  security  breaches  and 
unplanned  network  failures.  And  look  for  potential  weaknesses 
and  recommend  solutions  before  they  become  problems. 

To  find  out  how  to  make  your  business  more  secure,  call 
1.800.GENUITY  or  visit  us  at 
www.genuity.com/security. 


GENUITY 


10.  How  does  that  compare  with  the  average 
CIO’s  salary? 

A.  40%  more  B.  10%  more 
C.  40%  less  D.  10%  less 


8.  True  or  False:  All  of  the  following  are  bills 
listed  on  EPIC's  website: 

Identity  Theft  Protection  Act  of  2001 
Identity  Theft  Prevention  Act  of  2001 
Social  Security  Number  Privacy  and 
Identity  Theft  Prevention  Act  of  2001 
Protect  Victims  of  Identity  Theft 
Act  of  2001 

Restore  Your  Identity  Act  of  2001 


9.  How  much  in  annual  salary  did  the  FBI 
offer  its  new  CIO,  who  will  manage  a  budget 
of  $1  billion? 

A.  $74,999  B.  $98,200 

C.  $132,000  D.  $198,547 


Pop  Quiz 


1.  True  or  False:  In  February,  the  White 
House  Office  of  Management  and  Budget 
released  a  report  that  found  no  correlation 
between  the  amount  of  money  a  federal 
agency  spent  on  IT  security  and  its  effective¬ 
ness. 

2.  True  or  False:  In  April,  President  Bush's 
cybersecurity  adviser,  Richard  Clarke,  said 
that  security  at  federal  agencies  was  improv¬ 
ing  because  the  new  budget  sent  to  Congress 
called  for  a  64  percent  increase  in  funding. 

Questions  3  through  5  are  according  to 
Opensecrets.org. 

3.  Where  did  Microsoft  rank  on  the  list  of  top 
donors  to  campaigns  in  the  2002  election 
cycle? 

A.  123  B.  29  C.  9  D.  2 

4.  How  much  did  Bill  and  Melinda  Gates  and 
Steve  and  Connie  Ballmer  each  give  to 
Microsoft's  PAC  last  year? 

A.  $208  B.  $1,000 

C.  $5,000  D.  $100,000 


5.  What  is  the  occupation  of  both  Melinda 
Gates  and  Connie  Ballmer? 

A.  Philanthropist  B.  Student 

C.  Homemaker  D.  Unemployed 

6.  As  of  Aug.  14,  how  many  U.S.  Congress 
bills  did  the  Electronic  Privacy  Information 
Center  have  listed  on  its  electronic  bill  track¬ 
ing  webpage? 

A.  21  B.  86  C.  226  D.  364 

7.  Which  of  the  following  are  not  real  bills? 

A.  The  Can  Spam  Act 

B.  The  Aviation  Biometric  Badge  Act 

C.  The  Fair  Credit  Reporting  Act 
Limitations  on  Actions  Act 

D.  The  Who  Is  E-Mailing  Our  Kids  Act 

E.  All  are  real 

F.  None  are  real 


11.  According  to  Federal  Computer  Week, 
how  many  IT  professionals  have  applied  for 
900  new  technology  positions  at  the  FBI? 

A.  503  B.  6,286 

C.  47,000  D.  1.3  million 

For  questions  12  to  14,  match  each  quote 
with  its  speaker. 

A.  George  W.  Bush 

B.  Donald  Rumsfeld 

C.  Richard  Clarke 

12.  “Digital  Pearl  Harbors  are  happening 
every  day.” 

13.  “It’s  important  for  us  to  explain  to  our 
nation  that  life  is  important.  It's  not  only  life 
of  babies,  but  it’s  life  of  children  living  in,  you 
know,  the  dark  dungeons  of  the  Internet." 

14.  “We’ve  just  got  to  find  ways  to  get  con¬ 
nected  with  the  [tech]  sector.  Maybe  there 
should  be  some  kind  of  [advisory]  board.” 

15.  True  or  False:  According  to  Government 
Computer  News,  the  U.S.  Patent  and  Trade¬ 
mark  Office  said  in  its  own  report  that  its  IT 
security  is  “passable." 

.'SwaiSAS 

aaiviAioinv  s.oid  am  isnai  nvd  saawaoisno 
iVNaaixa  aoN  iVNaaiNi  aamiaN..  'aivs  oiasn  3Hi 
•3si vd  'Si  a  m  v  '£i  o  zi  o  'ii  o  'oi  o  '6  anai  '8 
3 ' l  o  '9  o  s  o  o  '£  anai  z  anai  -i  :sm3msnv 


How’d 
You  Do? 


0-5  correct:  Tom  Ridge’s  job 

6-12  correct:  Budding  civil 

13-15  correct:  You  should  spend 

is  safe 

servant 

more  time  outside  the  Beltway 

72  www.csoonline.com  September  2002 


ILLUSTRATION  BY  PATRICK  MERIWETHER 


f  fl . 


.»  «'* 


Does  your  remote  access  leave  you  a  little...  exposed? 


For  enterprise-class  security,  access  and  management,  Fiberlink  has  you  covered. 

Just  how  secure  is  your  remote  access?  How  dependable  is  it?  How  hard  is  it  to  manage?  If  you  want  easy  answers  to 
these  tough  questions,  you  need  Fiberlink.  Only  Fiberlink  delivers  a  level  of  integrated  security,  access  and  management  that 
optimizes  remote  access  — -  anytime,  anywhere.  The  confidence  of  policy^ena bled  remote  access,  with  integrated  authentication, 
intrusion  detection,  VPN,  distributed  firewall  and  virus  protection.  And  because  Fiberlink  integrates  many  of  the  world's  largest 
IP  backbones  into  a  single  solution,  you  get  true  diversity  and  redundancy  —  making  Fiberlink  an  integral  component  of  your 
business  continuity  plan.  •  It's  no  wonderthat  leading  industry  analysts  recommend  Fiberlink  to  their  clients.  Did  we  also  mention 
that  our  customers  typically  reduce  their  costs  by  as  much  as  80%? 

Learn  more  at  www.fiberlink.com  or  call  1-800-UNKN01  today.  Before  you  catch  something. 


Fiberlink  Global  Remote:  for  mobile  professionals  I  Fiberlink  Secure  Broadband:  for  telecommuters  I  Fiberlink  Global  Connect:- for  branch  offices 


Fiberlink 


www.fiberlink.com 


t 


"V"  is  for  VigilEnt  Integrated  Security 

u  ft*  f i  Iff  \n\\\\w\  \v\vOOSA 

Management  Solutions  from  PentaSafe. 


TERRY  MCMULLEN,  General, Manager, 
Jack  Henry  &  Associates, XN\\w  <||1| 
PentaSafe  custoirt^^wANW  ^ 


Jack  Henry  &  Associates  is  VigilEnt  with  PentaSafe. 


VigilEnt 

Integrated 

Security 

Management 


Vulnerability 

Management 


Intrusion 

Management 


%er 


PENTASAFE  SOLUTIONS 


As  General  Manager  of  Electronic  Services  at 
Jack  Henry  &  Associates,  I'm  responsible  for 
the  data  processing  of  hundreds  of  banks  and 
financial  institutions  nationwide.  Our  business 
and  our  clients  demand  the  highest  security 
standards.  Since  1999,  we've  relied  on 
PentaSafe’s  VigilEnt  software  to  help  us  secure 
millions  of  transactions  everyday. 

See  for  yourself  how  PentaSafe  security 
solutions  can  help  you  become  more  vigilant 
in  managing  security  across  your  enterprise. 


Want  to  find  out  more  about 
PentaSafe's  VigilEnt  Integrated 
Security  Management  Solutions? 

Go  to  www.pentasafe.com  to: 

■  Register  for  an  Executive  Security  Briefing, 
featuring  Gartner  Group's  John  Pescatore. 

■  Download  our  free  "Integrated  Security 
Management"  whitepaper 

PentaSafe 

The  safest  way  to  grow  your  business. 


